Nearly a month ago a number of security companies have analyzed a new Mac Trojan that opens a backdoor into the affected computer and spies on the user by monitoring mouse coordinates, instant messenger apps, the built-in webcam and microphone, clipboard contents, pressed keys, calendar data and alerts, address book contents, URLs visited by the user, and other things.
The malware – dubbed Crisis or Morcut – was not spotted in the wild, but received by the security researcher from VirusTotal in the form of a JAR file, the analysis of which revealed that it contained a .class file named WebEnhancer, and two installers – one for Windows and the other for OS X.
Symantec’s researchers have continued analyzing the file, and have recently discovered that the Windows version of the threat uses three methods to spread itself: to a removable disk drive, to a VMware virtual machine, and to a Windows Mobile device.
Unlike the majority of other malware that terminates itself when it detects a VMware virtual machine image on the compromised computer in order to avoid being analyzed, this one mounts the image and then copies itself onto the image by using a VMware Player tool.
Also, the threat is capable of spreading to Windows Mobile devices by dropping modules onto devices connected to compromised Windows computers, but does not affect Android or iPhone devices.