Home / malware Trojan-Downloader:OSX/Jahlev.A
First posted on 26 November 2008.
Source: SecurityHomeAliases :
There are no other names known for Trojan-Downloader:OSX/Jahlev.A.
Explanation :
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
right] Jahlev.A is a trojan-downloader that entices the user to download 'a video codec', which supposedly will solve an Active X object error.
The downloaded file is a mountable disk image file (DMG file) used by the Mac OS X to install applications, and contains an installer package named 'install.pkg'.
Execution
On installing the DMG file, the following image is displayed, as the trojan cleverly camouflages itself as a MacAccess installer:
Unbeknownst to the user, the trojan will install a file named 'AdobeFlash' to '/Library/Internet Plug-Ins'. The 'AdobeFlash' is a copy of the preinstall/ preupgrade files from the DMG file's installer package, 'install.pkg', and is a script that appears as:
The output of the script is a file named 'withlove', which is able to perform tasks in the backgrounds at regular intervals, while remaining hidden from the user.
The output file also contains a script that must be decoded to determine the task being performed. The task is contained in a file named 'jah', and its purpose appears to be to connect to the URL: 94.102.60.[...], in order download and execute a file. As of this writing however, no files are available for download from this link.Last update 26 November 2008
