OSX.RSPlug.A

If your computer is infected with OSX.RSPlug.A, you may follow the procedure on this page to contain this threat. Remove the Trojan at once before it can further harm the system.

OSX.RSPlug.A is a Trojan that disguises as a multimedia plug-in required to play online video. This Trojan will modify DNS settings on the infected computer and run malicious scripts that may cause instability to the system. The threat will target machines that are running in OSX operating system. It may enter the target machine by exploiting browser faults and social engineering web sites.

Once execute on the computer, OSX.RSPlug.A will drop a copy of itself as a plug-ins for Internet browser. It may also drop a plug-ins for Mozilla Firefox, which is a clean file. Next, this Trojan will change the DNS server to an assigned combination of IP addresses.

Then, the Trojan will update the crontab to initiate a script it previously dropped on the computer. The script makes sure that DNS Servers will use the assigned IP that can cause Internet traffic of the infected computer to reroute.

OSX.RSPlug.A then gathers information like CPU type, User Identifier (UID), and current hostname. The Trojan will send this collected information to an attackers web address. Once sent, the Trojan will delete the sendreq file from the system.

Here is an image showing how Norton Antivirus detects the threat right after user pays a visit to compromised web site.

OSX.RSPlug.A Detection

Aliases: OSX/RSPlug-A, OSX/Puper

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Windows Vista

Technical Details and Additional Information:

What can OSX.RSPlug.A do to infected system?
- The Trojan will modify DNS settings to redirect web site.
- It will update crontab to be able to run a malicious script.
- It sends stolen information like CPU type, User ID and host name to an specified URL.

Malicious Files Added by OSX.RSPlug.A
/Library/Internet Plug-Ins/plugins.settings
/Library/Internet Plug-Ins/sendreq
/Library/Internet Plug-Ins/Mozillaplug.plugins

OSX.RSPlug.A – Removal

Removing OSX.RSPlug.A Manually:
1. Install anti-virus program on the affected computer if there is none.
2. Connect to Internet and update the virus definitions. Each antivirus program has its own update process. Please refer to software manual.
3. Some antivirus may require you to reboot the machine. Please restart the computer.
4. Run a full system scan and clean/delete all infected files. Running another scan with a different security software may help detect other threats not identified on the first scan.

Alternative Removal Method for OSX.RSPlug.A

Option 1 : Use Windows System Restore to return Windows to previous state

If OSX.RSPlug.A enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before OSX.RSPlug.A infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.