Malware

New Variants of the RSPlug Trojan Horse

Posted on by

Intego first reported on the OSX.RSPlug Trojan Horse back in October of 2007. Since then, the people behind this malware have been busy making variants in order to better trap Mac users. Most of the variants aren’t really variants; they are simply disk images with different names from the original. (One antivirus vendor claimed to have found some three dozen such variants, but did not, it seems, examine the code to see that they were all the same.)

Other variants include two whose code are different, but especially variants that purport to install differently-named software. The original RSPlug Trojan horse installed “software” called MacCodec; other versions’ installers claim to install MacVideo or Porn4Mac. Also, the containers – the disk images containing the installers – differ. The first version was found in a series of disk images named with four digits followed by the disk image extension: for example, 1023.dmg. Others have included operacodec1234.dmg, nitroticket2018.dmg, uincodec4264.dmg, ixcodec1292.dmg and xerocodec1292.dmg. (Note that there may be variations in the numbers contained in these names, as well as the names themselves.)

In any case, this Trojan is alive and well, and recent posts in Mac forums show that users are still being infected. Intego VirusBarrier protects against all these variants, and will continue to protect against new ones as they are discovered.