A new script-based malware threat for OS X has been uncovered by security company Intego. The malware, called OSX/Crisis, has so far not been found "in the wild," but it has the potential to do harm.

Most of the installed files are randomly named, though in all cases the malware appears to install a file called "appleHID" in the /Library/ScriptingAdditions/ directory. If a password is supplied and the installer gets root permissions, then the malware will additionally locate the system's Foundation framework and install a malware package called "com.apple.mdworker_server.xpc" within it.

The parent directories where these files are installed are the following:
]Macintosh HD/Library/ScriptingAdditions/
Macintosh HD/System/Library/Frameworks/Foundation.framework/XPCServices/

Intego provides no information about what the malware looks like when it is first encountered

http://reviews.cnet.com/8301-13727_...-crisis-malware-found-for-os-x-10.6-and-10.7/