A Mac Virus?!?!?

[yankeefan24]

This thread and the events are summarized here: The First Mac Virus? (A New OS X Trojan)


If anyone remembers last night, when lasthope spread that picture that opened in terminal. I just turned on my other computer and it said it had an incoming file, from my computer, which was the latest pics file. Any help. I have already secure deleted it off of my harddrive, but how do i know that it will not come back. Any help is appreciated.

link to lasthopes thread:
http://forums.macrumors.com/showthre...=1#post2142507

[Benjamindaines]

Same thing happened over here (as you see from my post in the other thread) and everything seems to be fine but we have no way of telling because [rant] APPLE DOESN'T INCLUDE ****ING VIRUS PROTECTION IN THE .MAC ANY MORE!!!!!!!!! [/rant]

[GFLPraxis]

Sounds like a trojan, not a virus.

Quote:

Originally Posted by Benjamindaines

Same thing happened over here (as you see from my post in the other thread) and everything seems to be fine but we have no way of telling because [rant] APPLE DOESN'T INCLUDE ****ING VIRUS PROTECTION IN THE .MAC ANY MORE!!!!!!!!! [/rant]

Um...dude, virus protection only looks for known viruses and trojans, it wouldn't find a newly released one anyway until Apple updated it to look for it. And since there are no Mac viruses anyway, it's perfectly fine for Apple to not include it.

[Laser47]

I ran it, opened terminal and then closed it. Dont know about sending messages to other computers though because i have the only mac in my house.

[Timepass]

Quote:

Originally Posted by GFLPraxis

Sounds like a trojan, not a virus.



Um...dude, virus protection only looks for known viruses and trojans, it wouldn't find a newly released one anyway until Apple updated it to look for it. And since there are no Mac viruses anyway, it's perfectly fine for Apple to not include it.

No it can find new ones. Normally covered on a bloodhound like feature (basicly it looks for virus like chars and quantitines the file) now it will not be able to remove the virus and cure it. But it will prevent access to it and protect the rest of the system from it.

[cemorris]

Quote:

Originally Posted by Benjamindaines

Same thing happened over here (as you see from my post in the other thread) and everything seems to be fine but we have no way of telling because [rant] APPLE DOESN'T INCLUDE ****ING VIRUS PROTECTION IN THE .MAC ANY MORE!!!!!!!!! [/rant]

Give this a try and see if it can detect this virus/trojan.

http://www.clamxav.com/

[Mr. Mister]

Mac OS X is very specific about making installing viruses a thing that the user has a very large part in. Don't impulsively type your system password when a dialogue box pops up and you should be fine.

[yankeefan24]

Quote:

Originally Posted by Mr. Mister

Mac OS X is very specific about making installing viruses a thing that the user has a very large part in. Don't impulsively type your system password when a dialogue box pops up and you should be fine.

well what it did, was when you opened the file disguesed as a jpeg, it would open terminal and run a script. no passwords or anything.

[Benjamindaines]

Quote:

Originally Posted by yankeefan24

well what it did, was when you opened the file disguesed as a jpeg, it would open terminal and run a script. no passwords or anything.

but for what it was trying to do it DID need a password, that's why the permission was denied and we're "safe"

[yankeefan24]

Quote:

Originally Posted by Benjamindaines

but for what it was trying to do it DID need a password, that's why the permission was denied and we're "safe"

but permission was not denied for me. it ran a full script, (but i closed terminal and deleted it before screenshots) without any permissions being denied.

[ITASOR]

Quote:

Originally Posted by Benjamindaines

we're "safe"

Right, unless he DID put his password in...

[Benjamindaines]

Quote:

Originally Posted by ITASOR

Right, unless he DID put his password in...

It never asked for it, it just denied permission and ended the command.

[yankeefan24]

The trojan still exists on this computer. Does anyone know where the file would be located on my HDD.

Unlike benjamin, mine somehow got permission to do whatever it had to do. I have the file mirrored (i think thats the right term) on a seperate site, so if anyone wants to reverse engineer it, you can do that. just remember that you are downloading a known trojan (because the downloader knows that it is trojan (you can't get past that on the site), i think i am allowed to give it out, just PM me so i am sure).

The virus is still alive on my computer despite secure deleting the script (it tried to get itself to my sisters computer), so any help is appreciated, and i hope this isn't worse than it seems. But it didn't require a password so i believe that it can't do anything very bad, but why would someone make a trojan just to spread it, so he can say he made the first mac virus (i know its not a virus, but that might be what the guy was aiming for). All help is appreciated.

I did scan my home library folder with the above linked app.

BTW, i think that lasthope should be banned, and tell exactly what it does.

[CoMpX]

I really hope this guy gets what he deserved. I also hope that this doesn't get worse as we find out more about it. It already has the ability to spread to every mac on the network. Good thing I downloaded the file and then just decided to delete it. What if I opened it at school?? Every Mac in the school would have this "thing" on it!

[yankeefan24]

Quote:

Originally Posted by CoMpX

I really hope this guy gets what he deserved. I also hope that this doesn't get worse as we find out more about it. It already has the ability to spread to every mac on the network. Good thing I downloaded the file and then just decided to delete it. What if I opened it at school?? Every Mac in the school would have this "thing" on it!

no, it only spreads through bonjour/rendevezvous or whatever they call it. it would spread like a fire in dead woods if it happened at an apple store. all those people who just press accept for everything. i am backing up my desktop, documents, and library folders on my old 20 GB iPod.

Again, if anyone thinks that they can isolate it and reverse engineer it or anything like that i will be happy to give you the mirrored link (im not posting it here because i am not sure what the rules are).

[Benjamindaines]

Quote:

Originally Posted by yankeefan24

no, it only spreads through bonjour/rendevezvous or whatever they call it. it would spread like a fire in dead woods if it happened at an apple store. all those people who just press accept for everything. i am backing up my desktop, documents, and library folders on my old 20 GB iPod.

Again, if anyone thinks that they can isolate it and reverse engineer it or anything like that i will be happy to give you the mirrored link (im not posting it here because i am not sure what the rules are).

It also spreads through AIM in iChat, I just IMed someone and the file popped up.

[yankeefan24]

Quote:

Originally Posted by Benjamindaines

It also spreads through AIM in iChat, I just IMed someone and the file popped up.

well i have alerted my mac friend (its amazing how many people i know who use windows) about it. I just hope it doesn't spread to windows. Ok then, i am switching to my other computer now (my old 1 GHz TiBook) until i learn more about this or someone finds a solution.

[CoMpX]

Quote:

Originally Posted by Benjamindaines

It also spreads through AIM in iChat, I just IMed someone and the file popped up.

You mean the file tried to go to their computer? Was it a Mac? This is getting kinda serious. Passing the file through AIM opens of a whole new door of possibilities for this thing. Why in God's name has the poster of this file not been banned yet?

[calebjohnston]

Even though macs are techincally virus free and all that, you should still be very cautious on what you click and what you do with your computer. I'm not insulting anyone that clicked the link, god knows I've messed up windows boxes, but still - be cautious all the same .

[Benjamindaines]

Quote:

Originally Posted by CoMpX

You mean the file tried to go to their computer? Was it a Mac? This is getting kinda serious. Passing the file through AIM opens of a whole new door of possibilities for this thing. Why in God's name has the poster of this file not been banned yet?

It just popped up in the IM window. No it was a Windows PC. I have a theory that the file lives somewhere in Fire.app (maybe somewhere in the library)

[yankeefan24]

if i try to recreate this on a seperate account on my computer, do you think if would affect other accounts? I want to take a good look at the script and see what apps it is affecting (i quit terminal before i could see anything and would like to see.)

Quote:

Originally Posted by Benjamindaines

It just popped up in the IM window. No it was a Windows PC. I have a theory that the file lives somewhere in Fire.app (maybe somewhere in the library)

I do not have fire.app. i recall seeing ichat come up but i think i will check this soon.

EDIT: I have a BAD feeling that this is only going to get worse. I just have to recommend everyone who downloaded this file and uncompressed it to BACKUP RIGHT NOW! if this is going to spread like it seems to be doing (bonjour and aim) i think this is a delayed reaction type thing. I'll get back to you after i reverse engineer it. (im going to create a new account and then download it off of my mirror and then see what apps its affecting. if its something minor i will uninstall and reinstall, but if its an apple app (such as finder or ichat) we might all have a problem.

[CoMpX]

Quote:

Originally Posted by yankeefan24

snip.. I have a BAD feeling that this is only going to get worse....snip

Unfortunately, I agree with you. It seems like this thing is more advanced than we thought, and it seems to be revealing its capabilities to us as it goes along. Good luck in reverse engineering it. If you can find out what makes it run we might be able to stop it before it becomes too widespread.

[yankeefan24]

Quote:

Originally Posted by CoMpX

Unfortunately, I agree with you. It seems like this thing is more advanced than we thought, and it seems to be revealing its capabilities to us as it goes along. Good luck in reverse engineering it. If you can find out what makes it run we might be able to stop it before it becomes too widespread.

this is what it just gave me, but i remember it different in my main account (working off of a sub) directly copy and pasted from terminal:
/Users/virustest/Desktop/latestpics\ 2; exit
usage: cp [-R [-H | -L | -P]] [-f | -i | -n] [-pv] src target
cp [-R [-H | -L | -P]] [-f | -i | -n] [-pv] src1 ... srcN directory
cp: /tmp/latestpics/..namedfork/rsrc: No such file or directory
/usr/bin/tar: latestpics: Cannot stat: No such file or directory
/usr/bin/tar: Error exit delayed from previous errors
cp: /Applications/RealPlayer.app/Contents/MacOS/RealPlayer: Permission denied
cp: /Applications/Firefox.app/Contents/MacOS/Firefox: Permission denied
cp: /Applications/Rise of Nations Gold/Game/Rise of Nations Gold.app/Contents/MacOS/Rise of Nations Gold: Permission denied
cp: /Applications/Skype.app/Contents/MacOS/Skype: Permission denied
cp: /Applications/Google Earth.app/Contents/MacOS/Google Earth: Permission denied
logout
[Process completed]


I'll try this on my other account and post what it gives me if different.

On my main account, it doesn't seem to be completed but this is it:

my user name/Desktop/latestpics; exit
override rw-r--r-- virustes/wheel for latestpics.tgz? (y/n [n])

[Benjamindaines]

I THINK I've removed it off my laptop, it embeds it's self in the UNIX file system of random apps. To find what apps its in download the file again (should be in your history) and it will ask if you want to overwrite (choose no) and it will tell you all the apps its in. When you try to run most of the apps that are effected they wont run. Just trash the apps that it's embedded in. This seems to have worked and my laptop seems fast again. In a few days we will see if it's still around when it tries (or doesn't) to send to other people again.

EDIT: yankeefan24 has already posted what will come up when you run it. You must run it in new account to find out what apps its in.

[yankeefan24]

Quote:

Originally Posted by Benjamindaines

I THINK I've removed it off my laptop, it embeds it's self in the UNIX file system of random apps. To find what apps its in download the file again (should be in your history) and it will ask if you want to overwrite (choose no) and it will tell you all the apps its in. When you try to run most of the apps that are effected they wont run. Just trash the apps that it's embedded in. This seems to have worked and my laptop seems fast again. In a few days we will see if it's still around when it tries (or doesn't) to send to other people again.

EDIT: yankeefan24 has already posted what will come up when you run it. You must run it in new account to find out what apps its in.

followed your process and this is what it gave me:

/Desktop/latestpics; exit
override rw-r--r-- virustes/wheel for latestpics.tgz? (y/n [n]) n
not overwritten
logout
[Process completed]

this is from my main account, my post above's first part was from a sub account.

Quote:

Originally Posted by Benjamindaines

EDIT: yankeefan24 has already posted what will come up when you run it. You must run it in new account to find out what apps its in.

the only thing is that the apps that it gave me were all random added apps. not everyone will have those. i'm creating another account and will give you another update with a new clean download.