David H. Lipman wrote:
<snip>
> ====
> This entry is available at
> http://www.us-cert.gov/current/index...cprotector_and


The user searches for something on the web and clicks on a link.
Sometimes the bad link is part of a comment left at a news site.

The page pops up various screens and graphics to make it appear as if
the web page has detected a virus on your Mac. It is all fake.

If you click on anything on that page, including the cancel button, a
you will download the malicious “Mac Defender” installer.

If you have “Open Safe Files After Downloading” then the installer will
launch and run.

At this point the installer asks for the admin password, to get
permission to install. The Mac Guard variant doesn’t ask for a password,
but still asks for permission to install.

If the user gives the password, it installs and infects the Mac.

Fake virus scanning screens appear and declare that the Mac is infected
with a virus, a credit card number is requested so that the Mac can be
cleaned.

http://macmost.com/mac-defender-trojan-malware.html