According to security firm Intego, the Trojan in questions is a form of DNSChanger and was designed to change the Mac’s DNS server, which is used to look up the correspondences between domain names and IP addresses for web sites and other Internet services:
“When this new, malicious, DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as Ebay, PayPal and some banks), or simply to web pages displaying ads for other pornographic web sites. In the first case, users may think they are on legitimate sites and enter a user name and password, a credit card, or an account number, which will then be hijacked. In the latter case, it seems that this is being done solely to generate ad revenue.”
In addition, the Trojan will also install a root crontab, designed to ensure that its DNS server is still active and will remain so even if the network location (and, therefore, the DNS server) is changed.
The security company stated that its up to date Intego VirusBarrier X4 will terminate the malicious code and also prevent the Trojan horse from being installed.