Defend what you create



Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen


Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86



Added to the Dr.Web virus database: 2016-02-24

Virus description added:



A Trojan for OS X designed to install other malicious and dangerous applications. It is spread as a file appended with the .pkg extension.

Mac.Trojan.VSearch #drweb

The installer includes the following components:

  • NicePlayer.pkg
  • Plugins
  • Resources
  • [TOC].xml
  • Distribution
  • Scripts

The Plugins folder contains the Trojan who reads the ID number of the Trojan’s distributor from the Plugins\Offers.bundle\Contents\Resources\dc.txt text file and sends a request to the C&C server in order to get a list of components to be installed.

Once the installer is launched, the user sees a standard greeting on the screen. When they click “Continue”, Mac.Trojan.VSearch.2 should display a list of components that the user can install in addition to the desired application. This dialog usually prompts the user to choose necessary modules form the list. However, in fact, it is not the case because the installer skips this step and moves to the next stage prompting the user to specify the installation folder. At that, the Trojan is set as if the user themselves checked all offered components.

Then the preinstall script is launched from the NicePlayer.pkg folder. This script checks the system for the presence of a virtual machine and sends a request to the server in order to obtain a script for components installation. The script is saved as

The Trojan is currently known to install the following components using this script:

  • Client Updater - Mac.Trojan.VSearch.4
  • Trovi - Mac.Trojan.Conduit
  • MacKeeper - Program.Mac.Unwanted.MacKeeper
  • ZipCloud - Program.Mac.Unwanted.ZipCloud
  • Nice Player – an application that the user initially intended to install

News about the Trojan

Curing recommendations


Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

Führender russischer Hersteller von Virenschutzsoftware
Entwickelt seit 1992
Dr.Web wird in mehr als 200 Ländern genutzt
Antivirus im SaaS-Modell seit 2007
Technischer Support rund um die Uhr

Dr.Web © Doctor Web
2003 — 2021

Doctor Web ist ein russischer Entwickler von IT-Sicherheitslösungen unter dem Markennamen Dr.Web. Dr.Web Produkte werden seit 1992 entwickelt.

Doctor Web Deutschland GmbH. Bäderstraße 1
76530 Baden-Baden