It seems that we’ve been using that phrase a lot lately. (We posted about another new variant last week.) In the first year of the RSPlug Trojan horse’s existence (Intego discovered it in October 2007), only a couple of variants were seen, but now it seems that there’s a new one every week; or every time Intego announces that it’s found the latest variant. For it’s obvious that the creators of this malware follow The Mac Security Blog: one variant of this Trojan horse even taunted Intego.
So today we’ve spotted RSPlug.M, a new variant of the Trojan horse, which, like the others, makes changes in its code in an attempt to fool antivirus software. But Intego VirusBarrier X5′s proactive analysis spotted this new variant right away.
The RSPlug.M variant was spotted on a music download site offering the download of an album by 2Pac:
While the page for this download contains a link to a RapidShare download page, this latter link is not active. The links on the page – one that seems to download the album itself, another for a “Fast Mp3 Music Downloader” – both lead to disk images containing this latest variant of RSPlug. It should be noted that, since the installer contained in the disk image claims to install “MacCinema”, or the same installer for fake video codecs, anyone downloading this disk image thinking it has something to do with music may hesitate.