I've been following the discussions of this subject, but I have yet to succeed in downloading the trojan or in figuring out how it manages to get installed. I'd appreciate it if someone could send me a direct link. Please don't post the link here or anywhere else on this site. Send it to
and reply to this thread so I know It's there. Mailinator is a webmail server that automatically creates a throwaway account when it receives mail for any address in the domain. The received messages are automatically deleted after a few hours, so I need to know when to look. I also need the message subject so I can distinguish it from spam. Anyone can access the message. If you do, please use caution.
Instructions on what to Google haven't helped me. My setup is quite locked down and I block a lot of otherwise unwanted content. I need a direct URL.
If I get a positive response, I'll try to analyse the trojan in more detail than I've seen here, and post the results in this topic. Thanks.
I found the trojan. I will shortly send a mail to the above-named Mailinator mailbox with the link. The message will be deleted after a few hours. In case it's not clear, that link is to a malware page. Do not visit the link unless you know what you're doing.
I analysed the trojan only superficially. I didn't run the installer because I wasn't motivated to take the necessary precautions. Instead, I extracted the package contents manually and ran them in an unprivileged account, which I then deleted.
The archive that I downloaded was named "BestMacAntivirus2011.mpkg.zip." The package installs only the application MacDefender.app. It also runs a shell script that launches the application.
When launched, the application adds itself to the user's login items and writes a preference file, ~/Library/Preferences/com.alppe.md.plist.plist. It doesn't modify any other user files. It runs as a multi-threaded 64-bit process and doesn't spawn any subprocesses. It contacts a server at the address 126.96.36.199, which is in a netblock assigned to "atjeu publishing, llc" of Phoenix, AZ. A hosting service seems to operate out of that network. The registrant's contact name is given by whois as "Vasilev, Boris."
The application is localized in two languages, English and Russian.
The bundle identifier is "com.alppe.spav.plist". That's a Java-style MIB, not a filename. The indicated domain is registered anonymously in Australia and is represented by a parking page.
The application really does scan the Applications folder and flags a number of executables variously as "Rootkit," "Worm," "Troyan," (sic) and so forth. After the scan completes, the main window closes, but the application doesn't exit. It loads some objectionable pages in Safari, as has been reported, and installs a menu item. There is no Quit menu and the only way to get rid of it is to terminate the process with kill(1) or Activity Monitor.
So to summarize, the trojan can be removed simply by killing the process "MacDefender" in Activity Monitor, deleting the application and the preference file, and removing the login item. There would also be a receipt in /var/db/receipts if you ran the installer, which I didn't.