This Trojan may be downloaded unknowingly by a user when visiting malicious Web sites.
It may arrive on a system as the following file:
It comes as a MAC OS X mountable Disk Image file that contains INSTALL.PKG installer package file.
This installer package file contains its malicious script and its component files. Two of these files are the following identical malicious scripts, which are detected by Trend Micro as UNIX_JAHLAV.E:
Executing INSTALL.PKG displays the following graphical user interface (GUI):
Once installation is finished, the following files are added on the system:
- /Library/Internet Plug-Ins/AdobeFlash
- /Library/Internet Plug-Ins/Mozillaplug.plugin
In the background, while the installer is running, this malware executes the following malicious scripts:
These scripts are obfuscated using SED commands and UUEncode, that, when decrypted, contains the following:
This script copies itself into /Library/Internet Plug-Ins/AdobeFlash and then creates a cron job that enables this malware to execute periodically every 5 minutes.
It also contains another obfuscated script, that when deobfuscated contains yet another script, which is detected as PERL_JAHLAV.F.
This Perl script sends an HTTP GET request to the following IP address to download another malicious Perl script:
However the site is inaccessible as of this writing.
This Trojan runs on Windows 98, ME, NT, 2000, XP, and Server 2003.
Analysis By: Kathleen Mae Notario