Home > Malwares > Fake YouTube Installs OS X TrojanDNSChanger

Fake YouTube Installs OS X TrojanDNSChanger

May 1, 2008 Leave a comment Go to comments
.. I clicked on a normal-looking link to a BlogSpot blog. Instead of taking me to the blog it took me to a website that looks 100% identical to a YouTube page. Where a video would normally start playing it instead said “Video ActiveX Error” and a DMG entitled “1234″ that was approximately 750kb automatically downloaded to my computer.”


Question: How did you get that link ?

Answer: I found it on the wall of a Facebook group. [Read MacRumors Forum]
~~ooOOoo~~
TrojanDNSChanger for Mac is getting in the wild and it is desperately trying to get into users by using channels with wide or massive audience such as social networks.

This incident has been around for a week where a malicious link will redirect users to a Fake YouTube website and without user intervention it automatically download a DMG file, which is the Trojan DNSChanger for Mac.

**Take Note: The installer filename changes everyday.

The installer name usually displays: “MacVideo” or “Porn4Mac”.

Although this trojan requires manual installation, it is still possible that some Mac users will get hooked to this trick.

Always be on the look-out for this type of dodgy websites.

Advertisement
Categories: Malwares Tags: , , , , , , ,
  1. John Pettitt
    June 10, 2008 at 5:25 am | #1
    Reply | Quote

    I found a new variety of this that tries to install a replacement for the apple supplied VerifiedDownloadPlugin as well as the other DNS tricks / obfuscation. Ping me by email if you want a copy.

  2. Methusela Cebrian Ferrer
    June 11, 2008 at 12:38 am | #2
    Reply | Quote

    This must be something new. Could you send me a copy in this email address iThreatResearch(at)g m a i l (dot) com. I’ll verify and make an analysis as soon as I received the file. Thanks!

  3. tim
    August 3, 2008 at 5:29 pm | #3
    Reply | Quote

    If this is installed what recourse do I have for uninstalling it?

  4. Methusela Cebrian Ferrer
    August 10, 2008 at 1:36 pm | #4
    Reply | Quote

    You may delete the following drop files:

    /Library/Internet Plug-Ins/plugins.settings
    /Library/Internet Plug-Ins/sendreq (usually the malware deletes this, but just double check)
    /Library/Internet Plug-Ins/QuickTime.xpt
    /Library/Internet Plug-Ins/Mozillaplug.plugin

    And modify your DNS Settings (System Preference > Network > Advance > DNS) to your legitimate DNS IP address.

    Perhaps, the detailed analysis of this trojan may also help:
    http://ithreats.wordpress.com/2008/01/11/analysis-of-osx-trojan-dns-changer/

    If you think, it poses different behavior please feel free to send me further information such as URL link and the DMG file so I can investigate. Thanks!

  5. Ellis Thorne
    September 18, 2008 at 9:38 am | #5
    Reply | Quote

    Can someone give me a dunces guide to how to remove this as it keeps redirecting me to advertising websites and it’s driving me mad

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.