Security firm Intego has discovered a Trojan aimed at Macintosh users. The Trojan installs a DNS changer that redirects the user's computer to certain web sites, steals the administrator's password and puts the user at risk of losing his or her credit card information.

The Trojan was originally found on pornographic Web sites that promise the user the ability to view pornographic videos by clicking on a still image on the malicious site. If a user clicks on the photo, they are redirected to a Web page that informs the user that Quicktime cannot load the movie file, and provides another link for the user to download a new version of the codec.

If the user follows the link, a .dmg file is downloaded to the user's computer, the image may mount, depending upon the user's browser settings, and the installer is launched. During the installation process, the Trojan installer asks for the administrator password, which then provides full root privileges.

The Trojan installs DNSChanger, and then hijacks some Web requests. The hijacked requests are redirected to phishing sites or pages that display ads for pornographic Web sites.

Under older versions of the Mac OS, the user does not have any way to see the redirector in the user interface. Under 10.5, the user can see the added DNS servers, which are greyed out and cannot be removed manually. The site also installs a cron job that runs every minute to see that the malicious DNS server is still working.

Users are reminded that all Quicktime codecs come from Apple and are identified and delivered as part of the normal OS updates. Users should also be wary of downloading software from untrusted sources.

Macworld has posted removal instructions for users whose computers have been infected by this malware.