Threat Description

Trojan-Downloader: ​​OSX/Jahlev.A


Category: Malware
Type: Trojan-Downloader
Platform: OSX
Aliases: Trojan-Downloader:OSX/Jahlev.A


Trojan-Downloader:​​OSX/Jahlev.A entices the user into downloading a fake video codec, which supposedly will solve an Active X object error. The downloaded file is a mountable disk image (DMG) file used by Mac OS X to install applications, and contains an installer package named "install.pkg".


Automatic action

Once detected, F-Secure Anti-Virus for Mac will automatically disinfect the suspect file by either deleting it or renaming it.


You may wish to refer to the Support Community for further assistance. You may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Technical Details


On installing the DMG file, the following image is displayed, as the trojan cleverly camouflages itself as a MacAccess installer:

Unbeknown to the victim, the trojan will install a file named "AdobeFlash" to "/Library/Internet Plug-Ins". The AdobeFlash is a copy of the preinstall/ preupgrade files from the DMG file's installer package, install.pkg, and is a script that appears as:

The output of the script is a file named "withlove", which is able to perform tasks in the backgrounds at regular intervals, while remaining hidden from the victim.The output file also contains a script that must be decoded to determine the task being performed. The task is contained in a file named "jah", and its purpose appears to be to connect to the URL: 94.102.60.[...], in order download and execute a file.As of this writing however, no files are available for download from this link.


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your Mac

F-Secure Anti-Virus for Mac will disinfect your Mac and remove all harmful files

Learn More