McAfee > Theat Center > Virus Detail Page

Overview

Overview -
-- Update July 23, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/07/21/andrews_video_malware_ruse/

--

-- Update March 26, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://timesonline.typepad.com/technology/2009/03/apple-mac-troja.html

--

This detection is for a trojan which pretends to be a  HDTV (High Defenition Television) player.

The characteristics of this trojan in regards to file names, URLs accessed, files downloaded etc. will differ, depending the way in which the attacker had configured it. Hence, this is a general description.

Aliases

• OSX.RSPlug [ClamAV]

• OSX.RSPlug.A [Symantec]

• OSX.RSPlug.A [Symantec]

• OSX/Jahlav.C [eTrust]

• OSX/RSPlug-F [Sophos]

• OSX_RSPLUG.B [TrendMicro]

Characteristics

Overview -
-- Update July 23, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/07/21/andrews_video_malware_ruse/

--

-- Update July 22, 2009 --

Updated version of this Trojan is being hosted at the following URL:

• hxxp://video.report-{blocked}/Erin_Andrews_Peephole_Video

This Trojan modifies the infected machine's DNS settings to point to a malicious DNS server. The following are the new list of malicious DNS servers:

• 85.255.112.120
• 85.255.112.137

--------------

When executed, this trojan displays the following message:

If the user chooses to continue, it would then ask for the installation location and request the user's credentials as shown in the screenshot below:

If a user with root privileges provides his/her login credentials, the trojan would run under his/her credentials.

The malware drops a copy of itself in the following folder:

• /Library/Receipts

The malware then drops the following files:

• /Library/Internet Plug-Ins/AdobeFlash
• /Library/Internet Plug-Ins/Mozillaplug.plugin

The malware also modifies the infected machine's DNS settings to point to a malicious DNS server. This is done to either redirect the innocent user to a phishing site or to download more malware.

Given below is a list of the malicious DNS servers that were noted at the time of writing this description. Note that this list is not exhaustive:

• 85.255.112.210
• 85.255.112.99

The malware then updates the crontab to run the following script:

• /Library/Internet Plug-Ins/AdobeFlash

Screenshot below:

This is done to ensure that the malicious DNS entry is reverted back if it is changed.

Symptoms

• Presence of files mentioned earlier
• Presence of the cron job mentioned earlier
• Presence of a fake DNS server as mentioned earlier

Method of Infection

This malicious file is being distributed as an HDTV player. Users who visit the malicious website may, under the false premise that the file is beneficial, download and install this trojan .

This website, when visited, depending upon the Internet browser's user agent setting will serve different malware.

Example:

If a user visits this site from a Windows machine, a Windows executable will be available for download. If the user visits this site from a Mac machine, a Mac disk image file ".dmg" will be available for download.

Note: The windows executable is already detected as Puper trojan.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

Overview -
-- Update July 23, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/07/21/andrews_video_malware_ruse/

--

-- Update March 26, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://timesonline.typepad.com/technology/2009/03/apple-mac-troja.html

--

This detection is for a trojan which pretends to be a  HDTV (High Defenition Television) player.

The characteristics of this trojan in regards to file names, URLs accessed, files downloaded etc. will differ, depending the way in which the attacker had configured it. Hence, this is a general description.

Aliases

• OSX.RSPlug [ClamAV]

• OSX.RSPlug.A [Symantec]

• OSX.RSPlug.A [Symantec]

• OSX/Jahlav.C [eTrust]

• OSX/RSPlug-F [Sophos]

• OSX_RSPLUG.B [TrendMicro]

Characteristics

Characteristics -

Overview -
-- Update July 23, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/07/21/andrews_video_malware_ruse/

--

-- Update July 22, 2009 --

Updated version of this Trojan is being hosted at the following URL:

• hxxp://video.report-{blocked}/Erin_Andrews_Peephole_Video

This Trojan modifies the infected machine's DNS settings to point to a malicious DNS server. The following are the new list of malicious DNS servers:

• 85.255.112.120
• 85.255.112.137

--------------

When executed, this trojan displays the following message:

If the user chooses to continue, it would then ask for the installation location and request the user's credentials as shown in the screenshot below:

If a user with root privileges provides his/her login credentials, the trojan would run under his/her credentials.

The malware drops a copy of itself in the following folder:

• /Library/Receipts

The malware then drops the following files:

• /Library/Internet Plug-Ins/AdobeFlash
• /Library/Internet Plug-Ins/Mozillaplug.plugin

The malware also modifies the infected machine's DNS settings to point to a malicious DNS server. This is done to either redirect the innocent user to a phishing site or to download more malware.

Given below is a list of the malicious DNS servers that were noted at the time of writing this description. Note that this list is not exhaustive:

• 85.255.112.210
• 85.255.112.99

The malware then updates the crontab to run the following script:

• /Library/Internet Plug-Ins/AdobeFlash

Screenshot below:

This is done to ensure that the malicious DNS entry is reverted back if it is changed.

Symptoms

Symptoms -

• Presence of files mentioned earlier
• Presence of the cron job mentioned earlier
• Presence of a fake DNS server as mentioned earlier

Method of Infection

Method of Infection -

This malicious file is being distributed as an HDTV player. Users who visit the malicious website may, under the false premise that the file is beneficial, download and install this trojan .

This website, when visited, depending upon the Internet browser's user agent setting will serve different malware.

Example:

If a user visits this site from a Windows machine, a Windows executable will be available for download. If the user visits this site from a Mac machine, a Mac disk image file ".dmg" will be available for download.

Note: The windows executable is already detected as Puper trojan.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A