Threat Encyclopedia

OSX_JAHLAV.K

Malware type: Others

Aliases: No Alias Found

In the wild: Yes

Destructive: No

Language: English

Platform: Mac OS X

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Low

Distribution potential:

Low

Description: 

This malware may be downloaded unknowingly by a user when visiting malicious Web sites.

This file is a MAC OS X mountable Disk Image file (.DMG) which contains malicious codes in the following Install Operation scripts, which are also detected by Trend Micro as OSX_JAHLAV.K.

The script creates a cron job that enables this malware to execute periodically every 5 minutes. It also contains a chain of other encryted codes, the last one of which is a Perl script that attempts to download and execute another malicious script.

The said downloaded script resets the DNS configuration of the affected system and adds two new IP addresses as the DNS server. As a result, users may be redirected to phishing sites or sites where other malware may be downloaded.

Once installation is finished, files are added into the system.

For additional information about this threat, see:

Description created: Aug. 26, 2009 6:08:02 AM GMT -0800


TECHNICAL DETAILS


File type: DMG

Memory resident:  No

Size of malware: 24,341 Bytes

Initial samples received on: Aug 26, 2009

Details:

This malware may be downloaded from the following remote sites:

  • http://{BLOCKED}zforspe.com/download/
    5434586447413d3d9f7e7c7a20090822/install_flash_player.dmg
  • http://{BLOCKED}edik.com/download/
    5434586447413d3d9f7e7c7a20090822/install_flash_player.dmg

It may be downloaded unknowingly by a user when visiting malicious Web sites.

This file is a MAC OS X mountable Disk Image file (.DMG) which contains malicious codes in the following Install Operation scripts, which are also detected by Trend Micro as OSX_JAHLAV.K:

  • Preinstall
  • Preupgrade

The script copies itself into /Library/Internet Plug-Ins/AdobeFlash and then creates a cron job that enables this malware to execute periodically every 5 minutes.

It also contains a chain of other encrypted codes, the last one of which is a Perl script that attempts to download and execute another malicious script. The said script is downloaded from the following site:

  • {BLOCKED}.{BLOCKED}.126.32/cgi-bin/generator.pl

The downloaded script resets the DNS configuration of the affected system and adds two new IP addresses as the DNS server. As a result, users may be redirected to phishing sites or sites where other malware may be downloaded.

Once installation is finished, the following files are added into the system:

  • /cron.inst
  • /i386
  • /Library/Internet Plug-Ins/AdobeFlash
  • /Library/Internet Plug-Ins/Mozillaplug.plugin

This malware runs on Mac OS X.

Analysis By: Karl Dominguez

Revision History:

First pattern file version: 6.528.03
First pattern file release date: Oct 10, 2009

SOLUTION


Minimum scan engine version needed: 8.900

Pattern file needed: 6.528.03

Pattern release date: Oct 10, 2009


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

 Step 1: Delete these files  

  • /cron.inst
  • /i386
  • /Library/Internet Plug-Ins/AdobeFlash
  • /Library/Internet Plug-Ins/Mozillaplug.plugin

 Step 2: Restore the default DNS server definitions  [learn how]

 Step 3: Scan your computer with your Trend Micro product to delete files detected as OSX_JAHLAV.K  

*Note: If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

Featured Stories

Connect with us on