My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2016-02-24

Virus description added:



A Trojan for OS X designed to install other malicious and dangerous applications. It is spread as a file appended with the .pkg extension.

Mac.Trojan.VSearch #drweb

The installer includes the following components:

  • NicePlayer.pkg
  • Plugins
  • Resources
  • [TOC].xml
  • Distribution
  • Scripts

The Plugins folder contains the Trojan who reads the ID number of the Trojan’s distributor from the Plugins\Offers.bundle\Contents\Resources\dc.txt text file and sends a request to the C&C server in order to get a list of components to be installed.

Once the installer is launched, the user sees a standard greeting on the screen. When they click “Continue”, Mac.Trojan.VSearch.2 should display a list of components that the user can install in addition to the desired application. This dialog usually prompts the user to choose necessary modules form the list. However, in fact, it is not the case because the installer skips this step and moves to the next stage prompting the user to specify the installation folder. At that, the Trojan is set as if the user themselves checked all offered components.

Then the preinstall script is launched from the NicePlayer.pkg folder. This script checks the system for the presence of a virtual machine and sends a request to the server in order to obtain a script for components installation. The script is saved as

The Trojan is currently known to install the following components using this script:

  • Client Updater - Mac.Trojan.VSearch.4
  • Trovi - Mac.Trojan.Conduit
  • MacKeeper - Program.Mac.Unwanted.MacKeeper
  • ZipCloud - Program.Mac.Unwanted.ZipCloud
  • Nice Player – an application that the user initially intended to install

News about the Trojan

Curing recommendations


Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

© Doctor Web
2003 — 2023

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies