http://www.itwire.com/business-it-news/security/50439-flashback-trojan-hides-inside-safari

The Flashback Trojan first appeared last month. Posing as an Adobe Flash installer, it installed code that could send information about the computer, and also had the capability to download additional malware.

The latest variant - Flashback.D - hides its payload not in the user's Preferences folder (it could previously be found at ~/Library/Preferences/Preferences.dylib), but inside the Safari application bundle.

Security company Intego has revealed that the Trojan now installs its payload as /Applications/Safari.app/Contents/Resources/UnHackMeBuild, and adds an entry to Safari's Info.plist file (/Applications/Safari.app/Contents/Info.plist) that loads it when Safari starts.