Trojan:OSX/DNSChanger are detections of installation packages, masked as fake codec installations for Mac OS X computers.


Automatic action

The F-Secure security product will automatically remove the file.

Restoring DNS Settings

  • Open the Apple Network Pane:
    • Applications >System Preferences >Network
  • Set the correct DNS Server, or leave it blank if you use a DHCP server.
  • To double check the DNS settings, click the Advanced button and choose the DNS tab:
  • Click the OK button, then the Apply button.
Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

These trojans start in the package install scripts.


Social engineering techniques are used to persuade the user into downloading and running this trojan. Websites hosting video (often illicit) claim that the video cannot be viewed without installing a new codec. The user is prompted to install the "needed" codec.

The user then downloads:

Installing the fake codec:

Once the fake codec is installed, the video will play so as not to raise suspicion. During the installation, the local machine's DNS settings are adjusted to point towards a malicious server.

Changes the DNS Server

The trojan changes the OS X network settings to use a different DNS server. DNS Settings are made with a tool called scutil.

The DNS Server Addresses vary. For example, Trojan:OSX/DNSChanger.A directs traffic to servers located in Ukraine.

Reports Back

After installation, the script sends back an HTTP message with information that it successfully infected the system. The message contains the operating system version and the host name.

Prevents Disinfection

The install script adds a crontab (a configuration file that specifies shell commands to run periodically on a given schedule) to a script to verify the malicious DNS servers remain unchanged. The script is stored in /Library/Internet Plug-Ins and is named plugins.settings.

The trojan infects both 10.4 and 10.5 versions of Mac OS X.

Date Created: -

Date Last Modified: -