Home / malware Trojan-Downloader:OSX/Jahlav.A
First posted on 28 January 2009.
Source: SecurityHomeAliases :
There are no other names known for Trojan-Downloader:OSX/Jahlav.A.
Explanation :
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
right] Jahlav.A is a trojan-downloader that entices the user to download a fake video codec, which supposedly will solve an Active X object error.
The downloaded file is a mountable disk image file (DMG file) used by Mac OS X to install applications, and contains an installer package named "install.pkg".
Execution
On installing the DMG file, the following image is displayed, as the trojan cleverly camouflages itself as a MacAccess installer:
Unbeknown to the victim, the trojan will install a file named "AdobeFlash" to "/Library/Internet Plug-Ins". The AdobeFlash is a copy of the preinstall/ preupgrade files from the DMG file's installer package, install.pkg, and is a script that appears as:
The output of the script is a file named "withlove", which is able to perform tasks in the backgrounds at regular intervals, while remaining hidden from the victim.
The output file also contains a script that must be decoded to determine the task being performed. The task is contained in a file named "jah", and its purpose appears to be to connect to the URL: 94.102.60.[...], in order download and execute a file.
As of this writing however, no files are available for download from this link.Last update 28 January 2009
