Malware

A new variant of the RSPlug Trojan horse has been found on several pornographic web sites. This new variant, RSPlug.E, is similar to the RSPlug.D Trojan horse, but has some interesting differences with the previous versions. The samples Intego has seen, named FlashPlayer.v3.348.dmg and FlashPlayer.v..dmg, contain code that refers to Intego. The actual malware code is encoded (using a standard routine called uuencode), and when it is decoded, a line of code is present saying: “begin 666 intego”. This tells the system to create a file with read and write permissions (the 666 is a shortcut for Unix permissions, not anything to do with the “number of the beast”), and to create a file, containing the malicious code, named “intego”. Intego wants to point out that the company obviously has nothing to do with the creation of this malware, and that the choice of this file name is a provocation from the creator of this malware.

Read the full Intego Security Memo.