March 11, 2012
The malicious code is placed into a ZIP-archive containing various photos, including Irina Shayk's pictures. Archive samples have been uploaded to virustotal.com as Pictures and the Pictures and the Ariticle of Renzin Dorjee.zip and FHM Feb Cover Girl Irina Shayk H-Res Pics.zip. Currently Doctor Web doesn't have complete information as to the archive spreading scheme but apparently it is a not spread widely.
When the archive contents is extracted, an application is saved on the disk in addition to photos. Its icon displayed in the Finder window is practically no different from other images. Intruders expect that a careless user may fail to distinguish the program icon from an image and launch it.
This executable file named FileAgent is a Trojan.Muxler.3 malware. It decrypts and executes a backdoor module detected by Dr.Web anti-virus software as BackDoor.Muxler.3 (OSX/Imuler). This module is copied to a file named Mdworker, located in the /tmp directory. When launched, Trojan.Muxler.3 displays an enlarged copy of a photo and removes itself.
The backdoor allows intruders to perform various commands to download and run programs, create Mac OS X desktop screenshots. In addition, Trojan.Muxler.3 downloads the CurlUpload file from the Internet and stores it in the /tmp folder. The file is detected by Dr.Web as Trojan.Muxler.2 and is used to upload various files from the infected machine to a remote server.
The program poses a threat to Mac OS X because the backdoor is used to control an infected machine. Intruders can take screenshots and thus monitor user activity, covertly run third-party applications ad transfer files stored on a hard drive in the compromised system to a remote server. Some of these files may contain sensitive information.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.