Threat Description

Trojan-Downloader:​OSX/Jahlev.A

Details

Aliases: Trojan-Downloader:​OSX/Jahlev.A
Category: Malware
Type: Trojan-Downloader
Platform: OSX

Summary



This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus for Mac to remove the relevant files.



Technical Details



Jahlev.A is a trojan-downloader that entices the user to download a fake video codec, which supposedly will solve an Active X object error.The downloaded file is a mountable disk image file (DMG file) used by Mac OS X to install applications, and contains an installer package named "install.pkg".

Execution

On installing the DMG file, the following image is displayed, as the trojan cleverly camouflages itself as a MacAccess installer:

Unbeknown to the victim, the trojan will install a file named "AdobeFlash" to "/Library/Internet Plug-Ins". The AdobeFlash is a copy of the preinstall/ preupgrade files from the DMG file's installer package, install.pkg, and is a script that appears as:

The output of the script is a file named "withlove", which is able to perform tasks in the backgrounds at regular intervals, while remaining hidden from the victim.The output file also contains a script that must be decoded to determine the task being performed. The task is contained in a file named "jah", and its purpose appears to be to connect to the URL: 94.102.60.[...], in order download and execute a file.As of this writing however, no files are available for download from this link.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your Mac

F-Secure Anti-Virus for Mac will disinfect your Mac and remove all harmful files

Learn More