Home > Malwares > Fake YouTube Installs OS X TrojanDNSChanger

Fake YouTube Installs OS X TrojanDNSChanger

.. I clicked on a normal-looking link to a BlogSpot blog. Instead of taking me to the blog it took me to a website that looks 100% identical to a YouTube page. Where a video would normally start playing it instead said “Video ActiveX Error” and a DMG entitled “1234” that was approximately 750kb automatically downloaded to my computer.”

Question: How did you get that link ?

Answer: I found it on the wall of a Facebook group. [Read MacRumors Forum]
TrojanDNSChanger for Mac is getting in the wild and it is desperately trying to get into users by using channels with wide or massive audience such as social networks.

This incident has been around for a week where a malicious link will redirect users to a Fake YouTube website and without user intervention it automatically download a DMG file, which is the Trojan DNSChanger for Mac.

**Take Note: The installer filename changes everyday.

The installer name usually displays: “MacVideo” or “Porn4Mac”.

Although this trojan requires manual installation, it is still possible that some Mac users will get hooked to this trick.

Always be on the look-out for this type of dodgy websites.

  1. John Pettitt
    June 10, 2008 at 5:25 am

    I found a new variety of this that tries to install a replacement for the apple supplied VerifiedDownloadPlugin as well as the other DNS tricks / obfuscation. Ping me by email if you want a copy.

  2. Methusela Cebrian Ferrer
    June 11, 2008 at 12:38 am

    This must be something new. Could you send me a copy in this email address iThreatResearch(at)g m a i l (dot) com. I’ll verify and make an analysis as soon as I received the file. Thanks!

  3. tim
    August 3, 2008 at 5:29 pm

    If this is installed what recourse do I have for uninstalling it?

  4. Methusela Cebrian Ferrer
    August 10, 2008 at 1:36 pm

    You may delete the following drop files:

    /Library/Internet Plug-Ins/plugins.settings
    /Library/Internet Plug-Ins/sendreq (usually the malware deletes this, but just double check)
    /Library/Internet Plug-Ins/QuickTime.xpt
    /Library/Internet Plug-Ins/Mozillaplug.plugin

    And modify your DNS Settings (System Preference > Network > Advance > DNS) to your legitimate DNS IP address.

    Perhaps, the detailed analysis of this trojan may also help:

    If you think, it poses different behavior please feel free to send me further information such as URL link and the DMG file so I can investigate. Thanks!

  5. Ellis Thorne
    September 18, 2008 at 9:38 am

    Can someone give me a dunces guide to how to remove this as it keeps redirecting me to advertising websites and it’s driving me mad

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: