According to the IT security vendor, once installed, the trojan adds entries to the hosts file to hijack users visiting various Google sites - e.g. Google.com.tw, Google.com.tl etc - to the IP address 91.224.160.26, which is located in Netherlands.
F-Secure reports that the server at the IP address displays a fake webpage designed to appear similar to the legitimate Google site.
When a search request is entered, the remote server returns a fake page that mimics a legitimate Google search results page.
"Even though the page looks fairly realistic, clicking on any of the links does not take the user to any other sites. Clicking on the links does however open new pop-up pages, which are all pulled from a separate remote server", says the firm's security posting.
At the time of its posting late yesterday, F-Secure says that pop-up pages are not displaying anything, though the firm's research team presume they are ads of some sort.
IT security forum reports suggest that the fake Flash installer has hit a number of users, though most Mac IT security applications are able to spot and disable the malware.