Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Trojan-Downloader:OSX/Jahlev.A


Aliases:


Trojan-Downloader:OSX/Jahlev.A

Malware
Trojan-Downloader
OSX

Summary

This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.



Disinfection & Removal


Automatic Disinfection

Allow F-Secure Anti-Virus for Mac to remove the relevant files.



Technical Details

Jahlev.A is a trojan-downloader that entices the user to download a fake video codec, which supposedly will solve an Active X object error.The downloaded file is a mountable disk image file (DMG file) used by Mac OS X to install applications, and contains an installer package named "install.pkg".


Execution

On installing the DMG file, the following image is displayed, as the trojan cleverly camouflages itself as a MacAccess installer:

Unbeknown to the victim, the trojan will install a file named "AdobeFlash" to "/Library/Internet Plug-Ins". The AdobeFlash is a copy of the preinstall/ preupgrade files from the DMG file's installer package, install.pkg, and is a script that appears as:

The output of the script is a file named "withlove", which is able to perform tasks in the backgrounds at regular intervals, while remaining hidden from the victim.The output file also contains a script that must be decoded to determine the task being performed. The task is contained in a file named "jah", and its purpose appears to be to connect to the URL: 94.102.60.[...], in order download and execute a file.As of this writing however, no files are available for download from this link.







Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Disinfect your Mac




F-Secure Anti-Virus for Mac will disinfect your Mac and remove all harmful files