F-Secure
Tools
Trojan-Downloader:OSX/Jahlev.A
| Name : | Trojan-Downloader:OSX/Jahlev.A |
| Category: | Malware |
| Type: | Trojan-Downloader |
| Platform: | OSX |
Summary
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
Additional Details
Jahlev.A is a trojan-downloader that entices the user to download a fake video codec, which supposedly will solve an Active X object error.
The downloaded file is a mountable disk image file (DMG file) used by Mac OS X to install applications, and contains an installer package named "install.pkg".
Execution
On installing the DMG file, the following image is displayed, as the trojan cleverly camouflages itself as a MacAccess installer:
Unbeknown to the victim, the trojan will install a file named "AdobeFlash" to "/Library/Internet Plug-Ins". The AdobeFlash is a copy of the preinstall/ preupgrade files from the DMG file's installer package, install.pkg, and is a script that appears as:
The output of the script is a file named "withlove", which is able to perform tasks in the backgrounds at regular intervals, while remaining hidden from the victim.
The output file also contains a script that must be decoded to determine the task being performed. The task is contained in a file named "jah", and its purpose appears to be to connect to the URL: 94.102.60.[...], in order download and execute a file.
As of this writing however, no files are available for download from this link.
The downloaded file is a mountable disk image file (DMG file) used by Mac OS X to install applications, and contains an installer package named "install.pkg".
Execution
On installing the DMG file, the following image is displayed, as the trojan cleverly camouflages itself as a MacAccess installer:
Unbeknown to the victim, the trojan will install a file named "AdobeFlash" to "/Library/Internet Plug-Ins". The AdobeFlash is a copy of the preinstall/ preupgrade files from the DMG file's installer package, install.pkg, and is a script that appears as:
The output of the script is a file named "withlove", which is able to perform tasks in the backgrounds at regular intervals, while remaining hidden from the victim.
The output file also contains a script that must be decoded to determine the task being performed. The task is contained in a file named "jah", and its purpose appears to be to connect to the URL: 94.102.60.[...], in order download and execute a file.
As of this writing however, no files are available for download from this link.