I'll bet that the high number of alleged "infected" Macs in the US represents people who have visited those dodgy *.rr.nu sites -- without realizing it -- through an image or other link on some other site they hit intentionally (or otherwise), like a porn site.
> Note that the websites carrying the Trojan are NOT US websites.
Ummm, how do you figure that? Although the TLD ".nu" is assigned to island state of Niue, it looks like the domain "rr.nu" is in New Jersey.
% whois rr.nu
------------------------------------------------------------------------
.NU Domain Ltd Whois service
Domain Name (ASCII): rr.nu
Technical Contact:
InfoRelay abuse@sitelutions.com
4 Bridge Plaza Drive
Englishtown
NJ 07726
US
Phone: (703) 485-4600 (voice)
Record last updated on 2011-Oct-17.
Record expires on 2016-Nov-4.
Record created on 1998-Nov-4.
Record status: Active
Registrar of record: .NU Domain Ltd
Referral URL: http://www.nunames.nu
The Doctor Web stated the websites with the malware were out of country websites, hard to track down and shut down. I went with their statement. I did not search the ownership of the Domain. However, according to international law, hosting is supposed to be in the country of the domain assignment... even if the ownership may be a New Jersey corporation. Wikipedia says that in 2010, Niue, the country NU is assigned to, found that hosting websites was a good revenue source and opened up their domain to the world... and are not too picky about who, or what, they allow. Apparently it is sort of an Internet Domain Switzerland...
I just found this on one of the major sites in the comments:
I did 5 minutes of research and found out that the majority of the sites infected with the trojan end in .nu and are sites (legal or illegal) for streaming videos, movies etc. in Scandanavia, Belgium and Denmark. I find it hard to believe that over 1/2 million Mac users would go to those sites. Something is fishy here. I wonder if this was originally posted on the internet on April Fools Day?
LOL! Porn sites?