There’s a new Mac Trojan horse making the rounds, this one called Revir (OSX/Revir-A/B). This Trojan is unique, as it doesn’t require the user to authenticate as an admin user for the install to take place.
The Revir Trojan disguises itself as a Chinese language PDF containing text about political disputes. When opened, it copies files to /tmp/host, which in turn installs a backdoor named Imuler.A. This is set to launch via a LaunchAgent named checkvir.plist. Theoretically, once the backdoor is running, the Mac is vulnerable to attack from a remote server.
This Trojan is not widespread, and to date all variants have not communicated anything via the backdoor due to its poorly coded install mechanism.
To avoid getting this Trojan, don’t open PDFs that you don’t know where they came from. If you have recently mistakenly opened a Chinese language PDF, it would be a good idea to run a full scan on your Mac using a malware checker like ClamXav or Sophos Anti-Virus.
Apple has updated XProtect on 9/26/11 to scan downloaded files for Revir.