A Mac Virus?!?!?

Discussion in 'Mac Basics and Help' started by yankeefan24, Feb 14, 2006.

Thread Status:
Not open for further replies.
  1. yankeefan24 macrumors 65816

    yankeefan24

    Joined:
    Dec 24, 2005
    Location:
    NYC
    #1
    This thread and the events are summarized here: The First Mac Virus? (A New OS X Trojan)


    If anyone remembers last night, when lasthope spread that picture that opened in terminal. I just turned on my other computer and it said it had an incoming file, from my computer, which was the latest pics file. Any help. I have already secure deleted it off of my harddrive, but how do i know that it will not come back. Any help is appreciated.

    link to lasthopes thread:
    http://forums.macrumors.com/showthread.php?p=2142507&posted=1#post2142507
     
  2. Benjamindaines macrumors 68030

    Benjamindaines

    Joined:
    Mar 24, 2005
    Location:
    A religiously oppressed state
    #2
    Same thing happened over here (as you see from my post in the other thread) and everything seems to be fine but we have no way of telling because [rant] APPLE DOESN'T INCLUDE ****ING VIRUS PROTECTION IN THE .MAC ANY MORE!!!!!!!!! [/rant]
     
  3. GFLPraxis macrumors 604

    GFLPraxis

    Joined:
    Mar 17, 2004
    #3
    Sounds like a trojan, not a virus.

    Um...dude, virus protection only looks for known viruses and trojans, it wouldn't find a newly released one anyway until Apple updated it to look for it. And since there are no Mac viruses anyway, it's perfectly fine for Apple to not include it.
     
  4. Laser47 macrumors 6502a

    Laser47

    Joined:
    Jan 8, 2004
    Location:
    Maryland
    #4
    I ran it, opened terminal and then closed it. Dont know about sending messages to other computers though because i have the only mac in my house.
     
  5. Timepass macrumors 65816

    Joined:
    Jan 4, 2005
    #5

    No it can find new ones. Normally covered on a bloodhound like feature (basicly it looks for virus like chars and quantitines the file) now it will not be able to remove the virus and cure it. But it will prevent access to it and protect the rest of the system from it.
     
  6. cemorris macrumors regular

    Joined:
    Oct 13, 2004
    #6
    Give this a try and see if it can detect this virus/trojan.

    http://www.clamxav.com/
     
  7. Mr. Mister macrumors 6502

    Joined:
    Feb 15, 2006
    #7
    Mac OS X is very specific about making installing viruses a thing that the user has a very large part in. Don't impulsively type your system password when a dialogue box pops up and you should be fine.
     
  8. yankeefan24 thread starter macrumors 65816

    yankeefan24

    Joined:
    Dec 24, 2005
    Location:
    NYC
    #8
    well what it did, was when you opened the file disguesed as a jpeg, it would open terminal and run a script. no passwords or anything.
     
  9. Benjamindaines macrumors 68030

    Benjamindaines

    Joined:
    Mar 24, 2005
    Location:
    A religiously oppressed state
    #9
    but for what it was trying to do it DID need a password, that's why the permission was denied and we're "safe"
     
  10. yankeefan24 thread starter macrumors 65816

    yankeefan24

    Joined:
    Dec 24, 2005
    Location:
    NYC
    #10
    but permission was not denied for me. it ran a full script, (but i closed terminal and deleted it before screenshots) without any permissions being denied.
     
  11. ITASOR macrumors 601

    ITASOR

    Joined:
    Mar 20, 2005
    Location:
    Oneida, NY
    #11
    Right, unless he DID put his password in...
     
  12. Benjamindaines macrumors 68030

    Benjamindaines

    Joined:
    Mar 24, 2005
    Location:
    A religiously oppressed state
    #12
    It never asked for it, it just denied permission and ended the command.
     
  13. yankeefan24 thread starter macrumors 65816

    yankeefan24

    Joined:
    Dec 24, 2005
    Location:
    NYC
    #13
    The trojan still exists on this computer. Does anyone know where the file would be located on my HDD.

    Unlike benjamin, mine somehow got permission to do whatever it had to do. I have the file mirrored (i think thats the right term) on a seperate site, so if anyone wants to reverse engineer it, you can do that. just remember that you are downloading a known trojan (because the downloader knows that it is trojan (you can't get past that on the site), i think i am allowed to give it out, just PM me so i am sure).

    The virus is still alive on my computer despite secure deleting the script (it tried to get itself to my sisters computer), so any help is appreciated, and i hope this isn't worse than it seems. But it didn't require a password so i believe that it can't do anything very bad, but why would someone make a trojan just to spread it, so he can say he made the first mac virus (i know its not a virus, but that might be what the guy was aiming for). All help is appreciated.

    I did scan my home library folder with the above linked app.

    BTW, i think that lasthope should be banned, and tell exactly what it does.
     
  14. CoMpX macrumors 65816

    CoMpX

    Joined:
    Jun 29, 2005
    Location:
    New Jersey
    #14
    I really hope this guy gets what he deserved. I also hope that this doesn't get worse as we find out more about it. It already has the ability to spread to every mac on the network. Good thing I downloaded the file and then just decided to delete it. What if I opened it at school?? Every Mac in the school would have this "thing" on it!
     
  15. yankeefan24 thread starter macrumors 65816

    yankeefan24

    Joined:
    Dec 24, 2005
    Location:
    NYC
    #15
    no, it only spreads through bonjour/rendevezvous or whatever they call it. it would spread like a fire in dead woods if it happened at an apple store. all those people who just press accept for everything. i am backing up my desktop, documents, and library folders on my old 20 GB iPod.

    Again, if anyone thinks that they can isolate it and reverse engineer it or anything like that i will be happy to give you the mirrored link (im not posting it here because i am not sure what the rules are).
     
  16. Benjamindaines macrumors 68030

    Benjamindaines

    Joined:
    Mar 24, 2005
    Location:
    A religiously oppressed state
    #16
    It also spreads through AIM in iChat, I just IMed someone and the file popped up.
     
  17. yankeefan24 thread starter macrumors 65816

    yankeefan24

    Joined:
    Dec 24, 2005
    Location:
    NYC
    #17
    well i have alerted my mac friend (its amazing how many people i know who use windows) about it. I just hope it doesn't spread to windows. Ok then, i am switching to my other computer now (my old 1 GHz TiBook) until i learn more about this or someone finds a solution.
     
  18. CoMpX macrumors 65816

    CoMpX

    Joined:
    Jun 29, 2005
    Location:
    New Jersey
    #18
    You mean the file tried to go to their computer? Was it a Mac? This is getting kinda serious. Passing the file through AIM opens of a whole new door of possibilities for this thing. Why in God's name has the poster of this file not been banned yet?
     
  19. calebjohnston macrumors 68000

    calebjohnston

    Joined:
    Jan 24, 2006
    #19
    Even though macs are techincally virus free and all that, you should still be very cautious on what you click and what you do with your computer. I'm not insulting anyone that clicked the link, god knows I've messed up windows boxes, but still - be cautious all the same :).
     
  20. Benjamindaines macrumors 68030

    Benjamindaines

    Joined:
    Mar 24, 2005
    Location:
    A religiously oppressed state
    #20
    It just popped up in the IM window. No it was a Windows PC. I have a theory that the file lives somewhere in Fire.app (maybe somewhere in the library)
     
  21. yankeefan24 thread starter macrumors 65816

    yankeefan24

    Joined:
    Dec 24, 2005
    Location:
    NYC
    #21
    if i try to recreate this on a seperate account on my computer, do you think if would affect other accounts? I want to take a good look at the script and see what apps it is affecting (i quit terminal before i could see anything and would like to see.)

    I do not have fire.app. i recall seeing ichat come up but i think i will check this soon.

    EDIT: I have a BAD feeling that this is only going to get worse. I just have to recommend everyone who downloaded this file and uncompressed it to BACKUP RIGHT NOW! if this is going to spread like it seems to be doing (bonjour and aim) i think this is a delayed reaction type thing. I'll get back to you after i reverse engineer it. (im going to create a new account and then download it off of my mirror and then see what apps its affecting. if its something minor i will uninstall and reinstall, but if its an apple app (such as finder or ichat) we might all have a problem.
     
  22. CoMpX macrumors 65816

    CoMpX

    Joined:
    Jun 29, 2005
    Location:
    New Jersey
    #22
    Unfortunately, I agree with you. It seems like this thing is more advanced than we thought, and it seems to be revealing its capabilities to us as it goes along. Good luck in reverse engineering it. If you can find out what makes it run we might be able to stop it before it becomes too widespread.
     
  23. yankeefan24 thread starter macrumors 65816

    yankeefan24

    Joined:
    Dec 24, 2005
    Location:
    NYC
    #23
    this is what it just gave me, but i remember it different in my main account (working off of a sub) directly copy and pasted from terminal:
    /Users/virustest/Desktop/latestpics\ 2; exit
    usage: cp [-R [-H | -L | -P]] [-f | -i | -n] [-pv] src target
    cp [-R [-H | -L | -P]] [-f | -i | -n] [-pv] src1 ... srcN directory
    cp: /tmp/latestpics/..namedfork/rsrc: No such file or directory
    /usr/bin/tar: latestpics: Cannot stat: No such file or directory
    /usr/bin/tar: Error exit delayed from previous errors
    cp: /Applications/RealPlayer.app/Contents/MacOS/RealPlayer: Permission denied
    cp: /Applications/Firefox.app/Contents/MacOS/Firefox: Permission denied
    cp: /Applications/Rise of Nations Gold/Game/Rise of Nations Gold.app/Contents/MacOS/Rise of Nations Gold: Permission denied
    cp: /Applications/Skype.app/Contents/MacOS/Skype: Permission denied
    cp: /Applications/Google Earth.app/Contents/MacOS/Google Earth: Permission denied
    logout
    [Process completed]


    I'll try this on my other account and post what it gives me if different.

    On my main account, it doesn't seem to be completed but this is it:

    my user name/Desktop/latestpics; exit
    override rw-r--r-- virustes/wheel for latestpics.tgz? (y/n [n])
     
  24. Benjamindaines macrumors 68030

    Benjamindaines

    Joined:
    Mar 24, 2005
    Location:
    A religiously oppressed state
    #24
    I Think Ive Removed It

    I THINK I've removed it off my laptop, it embeds it's self in the UNIX file system of random apps. To find what apps its in download the file again (should be in your history) and it will ask if you want to overwrite (choose no) and it will tell you all the apps its in. When you try to run most of the apps that are effected they wont run. Just trash the apps that it's embedded in. This seems to have worked and my laptop seems fast again. In a few days we will see if it's still around when it tries (or doesn't) to send to other people again.

    EDIT: yankeefan24 has already posted what will come up when you run it. You must run it in new account to find out what apps its in.
     
  25. yankeefan24 thread starter macrumors 65816

    yankeefan24

    Joined:
    Dec 24, 2005
    Location:
    NYC
    #25
    followed your process and this is what it gave me:

    /Desktop/latestpics; exit
    override rw-r--r-- virustes/wheel for latestpics.tgz? (y/n [n]) n
    not overwritten
    logout
    [Process completed]

    this is from my main account, my post above's first part was from a sub account.

    the only thing is that the apps that it gave me were all random added apps. not everyone will have those. i'm creating another account and will give you another update with a new clean download.
     
Thread Status:
Not open for further replies.

Share This Page