Malware type: Others
Aliases: No Alias Found
In the wild: Yes
Destructive: No
Language: English
Platform: Mac OS X
Encrypted: No
Overall risk rating:
Reported infections:
Damage potential:
Distribution potential:
Description:
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
Malware Overview Trend Micro has flagged this malware as noteworthy due to the increased potential for damage, propagation, or both, that it possesses. Specifically, it targets MAC OS X users. This malware may be downloaded unknowingly by a user when visiting malicious Web site(s). It may arrive on a system as a file downloaded unknowingly by a user when visiting malicious websites. The said website encourages users to download a software needed to play a video on the said site. It arrives as a .DMG file which is a MAC OS X mountable Disk Image file. It contains a .PKG file which contains its malicious script and its component files. Two of these files are identical malicious scripts, which are detected by Trend Micro as UNIX_JAHLAV.B. Upon execution of this .DMG file, it displays an installation GUI entitled MacCinema. Once installation is finished, it adds certain files on the system. In the background, while the installer is running, this malware executes certain malicious scripts. These scripts are obfuscated using SED commands and UUEncode. This script copies itself into /Library/Internet Plug-Ins/AdobeFlash and then creates a cron job that enables this malware to execute periodically every 5 minutes. It also contains another obfuscated script. The said script contains yet another script which is detected as PERL_JAHLAV.B. This Perl script will send an HTTP GET request to a certain IP address to download another malicious Perl script. However the site is inaccessible as of this writing.
Malware Overview
Trend Micro has flagged this malware as noteworthy due to the increased potential for damage, propagation, or both, that it possesses. Specifically, it targets MAC OS X users.
This malware may be downloaded unknowingly by a user when visiting malicious Web site(s).
It may arrive on a system as a file downloaded unknowingly by a user when visiting malicious websites. The said website encourages users to download a software needed to play a video on the said site.
It arrives as a .DMG file which is a MAC OS X mountable Disk Image file. It contains a .PKG file which contains its malicious script and its component files.
Two of these files are identical malicious scripts, which are detected by Trend Micro as UNIX_JAHLAV.B.
Upon execution of this .DMG file, it displays an installation GUI entitled MacCinema. Once installation is finished, it adds certain files on the system.
In the background, while the installer is running, this malware executes certain malicious scripts. These scripts are obfuscated using SED commands and UUEncode. This script copies itself into /Library/Internet Plug-Ins/AdobeFlash and then creates a cron job that enables this malware to execute periodically every 5 minutes.
It also contains another obfuscated script. The said script contains yet another script which is detected as PERL_JAHLAV.B. This Perl script will send an HTTP GET request to a certain IP address to download another malicious Perl script. However the site is inaccessible as of this writing.
For additional information about this threat, see:SolutionTechnical Details
Description created: Jun. 24, 2009 11:52:13 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
Save & Share
