updated 09:40 am EST, Wed December 3, 2008
RSPlug.E Trojan manifests
A third variant of the RSPlug Trojan has appeared online, says security firm Intego. Following in the wake of the RSPlug.D version, Intego notes that another mutant copy called RSPlug.E has appeared. The new Trojan is said to be very similar in scope to D, being mainly found on dubious pornography sites, and equipped with a downloader that installs files from a remote server.
Likewise, a contaminated website will display a "Video ActiveX Object Error," which prompts users to download a missing plug-in that is really a disk image. This image may mount and install itself automatically if a user's browser settings are enabled to allow it.
The factor differentiating RSPlug.E, however, is that it downloads files named "FlashPlayer.v3.348.dmg" and "FlashPlayer.v..dmg," which have encoded malware containing the line "begin 666 intego." This code taps into Unix permissions to create a malicious file called "intego," which the namesake company argues is intended as a form of provocation. Definitions in VirusBarrier X5 have been updated to detect and block the Trojan.
Apple recently pulled an anti-virus support page, claiming that Macs are generally safeguarded against malware threats; it notes, however, that anti-virus software may still be useful.