Trojan.OSX.Jahlav.A

MUITO BAIXO
MUITO BAIXO
22701
(OSX/Jahlav-A)

Sintomas

 Increased network activity.

Instruções para remoção:

Please let BitDefender disinfect your files.

Analisado por

Daniel RADU, Virus Researcher

Descrição Técnica:

 This malware comes usually in the form of disk image for a keygenerator/crack for various applications or as a video codec to view videos online:

Disk Image

Once mounted the image shows having an install package.

Mounted Image
The install package contains the following files :

Package Contents

The package contains three files which are of interest:
          * Archive.pax.gz (which contains two files: AdobeFlash, Mozzilaplug.plugin)
          * preinstall
          * preupgrade

The  "AdobeFlash", "preinstall" and "preupgrade" are exactly the same file (bash script)

Once executed the script does drops a file using the uudecode command (http://en.wikipedia.org/wiki/Uudecode).
The file is another shell script which installs a crontrab entry (a kind of schedule job/task under windows)  which looks for new files to download every 5 minutes.

This is done though another file dropped using uudecode, in this case the file is a perl script which does the actual downloading and executing of the new malware.

At the time of this analysis the host used to download other malware files is no longer available.