The scenario is well-known: at first spam campaign hits the Mac forums, trying to lure users to pornography sites, where they assume they would be able to watch some video. But, alas, they find that they need to download and install a video codec in order to view those files.

A disk image (.dmg) file will be automatically downloaded to the user’s Mac. If the user will continue with the installation, he will be also asked for the administrator password, thus giving the Trojan full root privileges.

According to security firm Intego, the Trojan in questions is a form of DNSChanger and was designed to change the Mac’s DNS server, which is used to look up the correspondences between domain names and IP addresses for web sites and other Internet services:

When this new, malicious, DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as Ebay, PayPal and some banks), or simply to web pages displaying ads for other pornographic web sites. In the first case, users may think they are on legitimate sites and enter a user name and password, a credit card, or an account number, which will then be hijacked. In the latter case, it seems that this is being done solely to generate ad revenue.”

In addition, the Trojan will also install a root crontab, designed to ensure that its DNS server is still active and will remain so even if the network location (and, therefore, the DNS server) is changed.

The security company stated that its up to date Intego VirusBarrier X4 will terminate the malicious code and also prevent the Trojan horse from being installed.