Trojan-Downloader:OSX/Jahlev.A entices the user into downloading a fake video codec, which supposedly will solve an Active X object error. The downloaded file is a mountable disk image (DMG) file used by Mac OS X to install applications, and contains an installer package named "install.pkg".
Once detected, F-Secure Anti-Virus for Mac will automatically disinfect the suspect file by either deleting it or renaming it.
On installing the DMG file, the following image is displayed, as the trojan cleverly camouflages itself as a MacAccess installer:
Unbeknown to the victim, the trojan will install a file named "AdobeFlash" to "/Library/Internet Plug-Ins". The AdobeFlash is a copy of the preinstall/ preupgrade files from the DMG file's installer package, install.pkg, and is a script that appears as:
The output of the script is a file named "withlove", which is able to perform tasks in the backgrounds at regular intervals, while remaining hidden from the victim.The output file also contains a script that must be decoded to determine the task being performed. The task is contained in a file named "jah", and its purpose appears to be to connect to the URL: 94.102.60.[...], in order download and execute a file.As of this writing however, no files are available for download from this link.