Another fake “video codec” threatens Macs

According to Intego, a new version of an existing Trojan poses a new threat to Mac users. The net result of installing this trojan is that some web requests are hijacked, thus a request for, for instance, might be redirected to a site somewhere else which could then gather whatever data a user is willing to enter.

OSX.RSPlug.D, a new variant of OSX.RSPlug.A (mentioned here in an earlier article) is also spread via various less scrupulous sites offering video porn. A Mac user visiting a particular web page is greeted with an error dialog stating “Video ActiveX Object Error: Your browser cannot play the video file”.
If the user presses “cancel”, another dialog box pops up, which contains only an “ok” button. The choice is then to either click OK and download the installer anyway, or force-quit the browser (command-option-escape on the keyboard).

If the installer is downloaded, the disk image file has to be mounted, and then the installer in the image file run. On some computers, this may occur manually. On others, depending on settings, the user may be required to open the dmg file, then double-click on the installer.

If it doesn’t open automatically, no problem. Just delete the file and get on with more important things. If it does mount and launch the installer automatically, the Apple Installer program will then ask for the user’s admin user name and password. Here’s the other place to stop this thing in its tracks – just hit cancel, and quit the installer. Then throw away the file that was downloaded. That’s it. You’re safe.

If for some reason a user actually enters his admin password, the changes on the Mac may possibly be reversed manually through various command line utilities.

The consequences of installing this and other similar trojans include identity theft and financial losses in cases where the user has inadvertently tried signing onto a hijacked site with his normal credentials (i.e. username or account number , and password or other secret information).

As always, I recommend surfing with a bit of caution. If something sounds too good to be true, it probably is. You won’t find high-quality free video porn online. You will find scams and attempts to get you to divulge your credit card number or other personally identifying information.

Also note that “ActiveX” is a Windows-only beast. You cannot download an ActiveX viewer – the only way to use ActiveX on a Macintosh is to install Windows on your Mac.