My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.OSX.Jahlav.A

VERY LOW
VERY LOW
22701
(OSX/Jahlav-A)

Symptoms

 Increased network activity.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Daniel RADU, Virus Researcher

Technical Description:

 This malware comes usually in the form of disk image for a keygenerator/crack for various applications or as a video codec to view videos online:

Disk Image

Once mounted the image shows having an install package.

Mounted Image
The install package contains the following files :

Package Contents

The package contains three files which are of interest:
          * Archive.pax.gz (which contains two files: AdobeFlash, Mozzilaplug.plugin)
          * preinstall
          * preupgrade

The  "AdobeFlash", "preinstall" and "preupgrade" are exactly the same file (bash script)

Once executed the script does drops a file using the uudecode command (http://en.wikipedia.org/wiki/Uudecode).
The file is another shell script which installs a crontrab entry (a kind of schedule job/task under windows)  which looks for new files to download every 5 minutes.

This is done though another file dropped using uudecode, in this case the file is a perl script which does the actual downloading and executing of the new malware.

At the time of this analysis the host used to download other malware files is no longer available.