This malware may be downloaded from the following remote sites:
It may be downloaded unknowingly by a user when visiting malicious Web sites.
This file is a MAC OS X mountable Disk Image file (.DMG) which contains malicious codes in the following Install Operation scripts, which are also detected by Trend Micro as OSX_JAHLAV.K:
The script copies itself into /Library/Internet Plug-Ins/AdobeFlash and then creates a cron job that enables this malware to execute periodically every 5 minutes.
It also contains a chain of other encrypted codes, the last one of which is a Perl script that attempts to download and execute another malicious script. The said script is downloaded from the following site:
The downloaded script resets the DNS configuration of the affected system and adds two new IP addresses as the DNS server. As a result, users may be redirected to phishing sites or sites where other malware may be downloaded.
Once installation is finished, the following files are added into the system:
- /Library/Internet Plug-Ins/AdobeFlash
- /Library/Internet Plug-Ins/Mozillaplug.plugin
This malware runs on Mac OS X.
Analysis By: Karl Dominguez