Mac Malware Posing As ActiveX Codec

Malicious software hiding out as video codex is nothing new, but there is a new variant in town. Going by several names, OSX/JahLav-C has been seen at various web sites, mostly porn-related. It uses simple deception to install itself on a Mac.

If you click a video on an affected web site, an alert window will open, advising you that:

“Your browser cannot play this video file. Click OK to download and install the missing Video ActiveX Object.”

If you click the ‘OK’ button a malicious script will be downloaded and installed in the /Library/Internet Plug-Ins folder. Once installed the script will phone home for instructions to execute. The actual download has various names, including the following:

• HDTVPlayerv3.5.dmg
• VideoCodec.dmg
• FlashPlayer.dmg
• MacTubePlayer.dmg
• Macvideo.dmg
• License.v.3.1413.dmg
• Play-video.dmg
• Quicktime.dmg

One curious point is the malware writer’s decision to describe the item as an ActiveX component, something that actually can’t be used in OS X; Active X is strictly for Windows. Perhaps the malware author is targeting former Windows switchers, who would be familiar with installing ActiveX components, or just assumes that some Mac users would follow the prompts anyway. No matter what the author’s rational was, don’t click the OK button.

If you believe your Mac may have been infected, you should be able to use any Mac-based antivirus application to remove the Trojan. Be sure to update the antivirus application’s database first, to ensure that the newest of Trojans is included in the scan.