I vote yankeefan because he seems to be the most effected (also the first) and its getting VERY late here so anything I send probably wont make a lick of sense. Yankeefan also has the file mirrored on his site for Apple's reference.CoMpX said:
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
A Mac Virus?!?!?
- Thread starter yankeefan24
- Start date
- Sort by reaction score
- Status
I hope this problem with this is fix quickly. Also I hoping the total damage is pretty minor.
Best case of the out come of this virus is it becomes a wake up call to Mac users that even though you use a mac, one still needs to pratice safe online computing. Big one is dont open files or attachments that you are not sure what they do. Some mac users have it in there head that because they use a mac they are invincible. They are a lot safer than most windows users but far from invincible. Something that is IMPOSSIBLE. Well it is possible but it would require the computer just staying in the box and never being turn on.....
Best case of the out come of this virus is it becomes a wake up call to Mac users that even though you use a mac, one still needs to pratice safe online computing. Big one is dont open files or attachments that you are not sure what they do. Some mac users have it in there head that because they use a mac they are invincible. They are a lot safer than most windows users but far from invincible. Something that is IMPOSSIBLE. Well it is possible but it would require the computer just staying in the box and never being turn on.....
I'm not sure how this came originally, but the file I was pointed to is a tgz - a gzipped tar file.
The tar file contains two executables (not scripts) probably compiled with gcc, containing a function (among others) called infectApps.
One executable is "latestpics" which would show up and another called ._latestpics, which because of the initial . would be hidden to view.
This isn't much to go on so far, but I'll take another look when I have time.
Edit: my mistake, ._latestpics is not an executable - it's read only. Probably the payload or some data file.
Edit 2: latestpics has another function called copySelf
The tar file contains two executables (not scripts) probably compiled with gcc, containing a function (among others) called infectApps.
One executable is "latestpics" which would show up and another called ._latestpics, which because of the initial . would be hidden to view.
This isn't much to go on so far, but I'll take another look when I have time.
Edit: my mistake, ._latestpics is not an executable - it's read only. Probably the payload or some data file.
Edit 2: latestpics has another function called copySelf
Disassembly of "latestpics"
Folks... the file "latestpics.tgz" is definitely up to no good, or at least wants to appear that it is up to no good. When unarchived, the file appears to be a JPEG file because someone pasted the image of a JPEG file onto the file.
The file is actually a Unix executable, with routines such as:
_infect:
_infectApps:
_installHooks:
_copySelf:
I have not looked at it in complete detail yet, but it does indeed appear to be opening files, changing file attributes, and potentially doing damage.
DO NOT DOWNLOAD OR RUN THIS FILE
I will be looking into it further; if you are a programmer, attached is the disassembly of the executable (it's just a plain text file) for your reading pleasure.
It XOR's the static string data stored in it, which is why it doesn't appear to have any string constants. It's definitely trying to mask what it is doing. More later.
I will post updates here:
http://www.ambrosiasw.com/forums/index.php?showtopic=102379
Folks... the file "latestpics.tgz" is definitely up to no good, or at least wants to appear that it is up to no good. When unarchived, the file appears to be a JPEG file because someone pasted the image of a JPEG file onto the file.
The file is actually a Unix executable, with routines such as:
_infect:
_infectApps:
_installHooks:
_copySelf:
I have not looked at it in complete detail yet, but it does indeed appear to be opening files, changing file attributes, and potentially doing damage.
DO NOT DOWNLOAD OR RUN THIS FILE
I will be looking into it further; if you are a programmer, attached is the disassembly of the executable (it's just a plain text file) for your reading pleasure.
It XOR's the static string data stored in it, which is why it doesn't appear to have any string constants. It's definitely trying to mask what it is doing. More later.
I will post updates here:
http://www.ambrosiasw.com/forums/index.php?showtopic=102379
I never think about viruses. But all you have to do is chuck your hard drive if infected, correct? And I'd think the MR administrators could easily find out where this came from and sic the LAW on them, right?
Yep, that's all people would have to do, provided that they never leave important files on their disks, make regular backups, and don't mind reinstalling all their software. So, there are about 15 people in the world who wouldn't be inconvenienced by thisCalifornia said:
I wouldn't count on that. Any IP address they have is probably an open proxy, and the mail account a throwaway. As AV vendors will happily acknowledge, law enforcement is useless for stopping malware.
Andrew (or someone else), please post a link to this trojan. As a programmer I'd like to see what this thing does.
MacRumors asks that nobody post the original URL of the file in question or copies of the files in question. Let's not take chances while there are unknowns.
Thank you.
Thank you.
that is seriously depressing. i am officially shaken from my nice little warm fuzzy macintosh lull. hug me
hug me
I've been following this since a few minutes after the original post appeared. Went through all the hoops to download the file except the final click, but it looked a bit funny, so I passed for the time being. Thanks to yankeefan24 and Benjamindaines for quickly posting some details on what it appeared to be doing...stopped a lot of people from falling into the trap.
Definitely not a good day for Mac users, and I'm looking forward to seeing an analysis of what it actually does. Wake up Mac users...you are not safe by any means.
Definitely not a good day for Mac users, and I'm looking forward to seeing an analysis of what it actually does. Wake up Mac users...you are not safe by any means.
does anyone think apple could patch this or would want to see this virus for themselves. it would surely help them to combat peoblems that are to come. oh yea, this guy lasthope made that one post before being banned, I'm sure he wanted to see if his virus is headed in the right direction. Good job on banning him
plinden said:
So, didn't Safari automatically warn people that they were downloading an executable/application, which should immediately raise big red flags (given that the file was supposed to be a picture)??
Or were the users who got infected with these files using Firefox or some alternative browser? I'm very curious to know...
Apple is watching.
I have worked at an Apple Store. I can tell you for a fact that there will be at very least a dozen people looking into this. I bet they'll have a fix / explanation in no time.
I have worked at an Apple Store. I can tell you for a fact that there will be at very least a dozen people looking into this. I bet they'll have a fix / explanation in no time.
macrumors12345 said:
Well I'm using Netscape and didn't recieve a warning, but would you really expect to? It wasn't a direct download to an application, it was an app that was compressed (tar), so your browser wouldn't know an app is inside, for all a browser knows a picture was inside.
Ripmixburn said:
i have to agree with this. th last thing apple needs right now is for all this wild fire about viruses coming out during the intel transition. Tomorrow Steve jobs is going to yell at a lot of engineers to get this fixed fast cause thier jobs depend on. I see mac patch in 5 days
- Status