This Trojan may be downloaded unknowingly by a user when visiting malicious Web site(s).
It may arrive on a system as the file install-Quick.Time.Pro188.8.131.52...Cracked.dmg. It comes as a Mac OS X mountable disk image file that contains INSTALL.PKG installer package file.
The said installer package contains component files and the following malicious scripts, which are also detected by Trend Micro as OSX_JAHLAV.I:
These scripts are obfuscated using SED commands and UUEncode. It copies itself into /Library/Internet Plug-Ins/AdobeFlash and then creates a cron job that enables this malware to execute periodically every five minutes.
It also contains a chain of obfuscated scripts, which when decrypted leads to a Perl script detected by Trend Micro as PERL_JAHLAV.F. The said Perl script sends an HTTP GET request to the following IP address to download another malicious Perl script:
However the site is inaccessible as of this writing.
This Trojan runs on Mac OS X.
Analysis By: Kathleen Mae Notario