OSX_DNSCHAN.A

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

This Trojan can be downloaded from http://{BLOCKED}odec.com/download/ultracodec{number}.dmg.

It arrives on the affected system as a DMG file. A DMG file is a mountable disk image created in Mac OS X commonly used for software installers downloaded from the Internet.

It tricks the user into thinking that a legitimate video codec program is being installed. It even includes an End User License Agreement (EULA) to complete its scam.

Upon completion of its installation routine, this Trojan drops a malicious Bash script files detected by Trend Micro as UNIX_DNSCHAN.A.

Two versions of this malware exists (Windows and Mac OS version). One of the two versions can be downloaded on the same remote site depending on the browser and operating system used.

When using a Windows platform to connect to the malicious Web site, the downloaded file also uses a .DMG extension. However, examining its contents would show that it is an EXE file.

Related Items