My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Trjoan horse for Mac OS X exploits Russian model images

March 11, 2012

Doctor Web has discovered a new scheme to spread malicious software for devices running Mac OS X. Trojan.Muxler (OSX/Revir) authors are behind the malignant design. To lure users attackers use pictures of the popular Russian model Irina Shayk.

The malicious code is placed into a ZIP-archive containing various photos, including Irina Shayk's pictures. Archive samples have been uploaded to as Pictures and the Pictures and the Ariticle of Renzin and FHM Feb Cover Girl Irina Shayk H-Res Currently Doctor Web doesn't have complete information as to the archive spreading scheme but apparently it is a not spread widely.

When the archive contents is extracted, an application is saved on the disk in addition to photos. Its icon displayed in the Finder window is practically no different from other images. Intruders expect that a careless user may fail to distinguish the program icon from an image and launch it.


This executable file named FileAgent is a Trojan.Muxler.3 malware. It decrypts and executes a backdoor module detected by Dr.Web anti-virus software as BackDoor.Muxler.3 (OSX/Imuler). This module is copied to a file named Mdworker, located in the /tmp directory. When launched, Trojan.Muxler.3 displays an enlarged copy of a photo and removes itself.

The backdoor allows intruders to perform various commands to download and run programs, create Mac OS X desktop screenshots. In addition, Trojan.Muxler.3 downloads the CurlUpload file from the Internet and stores it in the /tmp folder. The file is detected by Dr.Web as Trojan.Muxler.2 and is used to upload various files from the infected machine to a remote server.

The program poses a threat to Mac OS X because the backdoor is used to control an infected machine. Intruders can take screenshots and thus monitor user activity, covertly run third-party applications ad transfer files stored on a hard drive in the compromised system to a remote server. Some of these files may contain sensitive information.

Trojan.Muxler.3 and BackDoor.Muxler.3 have been added to the virus database of Dr.Web for Mac OS X.

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments