Content

OSX/Puper

Type
Trojan
SubType
Macintosh
Discovery Date
10/31/2007
Length
Varies
Minimum DAT
5154 (11/01/2007)
Updated DAT
5646 (06/14/2009)
Minimum Engine
5.1.00
Description Added
10/31/2007
Description Modified
11/01/2007 9:44 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

When run, this file indicates that it is a MacCodec installer.


Rather than installing a real codec, it creates a scheduled task which changes the DNS server to point to a malicious site.  This could be used to redirect a user to a phishing site or more malware.

Within Finder, the script and the folder it creates are not visible.  In the console, the script can be found at the following location

  • /Library/Internet Plug-Ins/plugins.settings

Symptoms

  • Presence of the file plugins.settings
  • Websites typed in by an infected user may be redirected to malicious sites

Method of Infection

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted.  The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs.  This trojan is most commonly installed by going to a malicious site.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

    N/A

All Information

Overview -

This is a trojan which purports to be a codec installer, to help the user view videos.  The trojan instead creates a script which changes the DNS server to point to a malicious site.

Characteristics

Characteristics -

When run, this file indicates that it is a MacCodec installer.


Rather than installing a real codec, it creates a scheduled task which changes the DNS server to point to a malicious site.  This could be used to redirect a user to a phishing site or more malware.

Within Finder, the script and the folder it creates are not visible.  In the console, the script can be found at the following location

  • /Library/Internet Plug-Ins/plugins.settings

Symptoms

Symptoms -

  • Presence of the file plugins.settings
  • Websites typed in by an infected user may be redirected to malicious sites

Method of Infection

Method of Infection -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted.  The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs.  This trojan is most commonly installed by going to a malicious site.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

    N/A