{"id":512,"date":"2008-11-18T18:11:30","date_gmt":"2008-11-18T17:11:30","guid":{"rendered":"http:\/\/blog.intego.com\/?p=512"},"modified":"2020-02-05T10:49:22","modified_gmt":"2020-02-05T18:49:22","slug":"intego-issues-security-memo-about-new-variant-of-rsplug-trojan-horse","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/intego-issues-security-memo-about-new-variant-of-rsplug-trojan-horse\/","title":{"rendered":"New variant of RSPlug Trojan horse – Intego issues Security Memo"},"content":{"rendered":"

A new variant of the RSPlug Trojan horse has been found on several pornographic web sites. (See Intego\u2019s previous Internet Security Memo of October 31, 2007 <\/a> for more on this Trojan horse.) While this new variant currently performs the same actions as the RSPlug.A Trojan horse, its installer is different: it is a downloader, and it contacts a remote server to download the files it installs. This means that, in the future, the downloader may be able to install other payloads than the one it currently installs.<\/p>\n

This new variant, like the initial RSPlug.A Trojan horse, has been found on pornographic web sites. When visiting such a site, a user is alerted that there is a \u201cVideo ActiveX Object Error\u201d and is told that their \u201cBrowser cannot play this video file.\u201d The alert instructs the user to download the \u201cmissing Video ActiveX Object\u201d. If the user clicks OK, a disk image called cleanlive.dmg downloads (this name may be different in the future; with the first version of the RSPlug Trojan horse, a number of different names were found). Depending on the user\u2019s browser settings, this disk image may mount and launch automatically commencing installation. If the user clicks Cancel when the Video ActiveX Object alert displays, however, they receive another alert saying, \u201cPlease install new version of Video ActiveX Object.\u201d This alert only allows the user to click OK, returning them to the first alert. The only way to get rid of these alerts is either to download the infected disk image, or quit the browser.<\/p>\n

Read the full security memo<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

A new variant of the RSPlug Trojan horse has been found on several pornographic web sites. (See Intego\u2019s previous Internet Security Memo of October 31, 2007 for more on this Trojan horse.) While this new variant currently performs the same actions as the RSPlug.A Trojan horse, its installer is different: it is a downloader, and […]<\/p>\n","protected":false},"author":3,"featured_media":8763,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[13],"tags":[],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\t\n\t\n\t\n