This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
Once detected, F-Secure Anti-Virus for Mac will automatically disinfect the suspect file by either deleting it or renaming it.
Jahlev.A is a trojan-downloader that entices the user to download a fake video codec, which supposedly will solve an Active X object error.The downloaded file is a mountable disk image file (DMG file) used by Mac OS X to install applications, and contains an installer package named "install.pkg".
On installing the DMG file, the following image is displayed, as the trojan cleverly camouflages itself as a MacAccess installer:
Unbeknown to the victim, the trojan will install a file named "AdobeFlash" to "/Library/Internet Plug-Ins". The AdobeFlash is a copy of the preinstall/ preupgrade files from the DMG file's installer package, install.pkg, and is a script that appears as:
The output of the script is a file named "withlove", which is able to perform tasks in the backgrounds at regular intervals, while remaining hidden from the victim.The output file also contains a script that must be decoded to determine the task being performed. The task is contained in a file named "jah", and its purpose appears to be to connect to the URL: 94.102.60.[...], in order download and execute a file.As of this writing however, no files are available for download from this link.