Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

A Mac Virus?!?!?

Status
Not open for further replies.
frankblundt said:
I don't think there's any evidence for this. It seems to copy (something) into whatever apps it can find. The iChat Agent is not a creation of the trojan, just a hidden support app that wasn't deleted as part of trashing the main iChat app.
Click to expand...
When someone deleted iChat from their computer and then they have an iChat process running... thats not a good sign.

GITANAJAVA said:
2) Activity monitor?
Click to expand...

Your Hard Drive ---> Applications Folder --> Utilities Folder --> Activity Monitor

In activity monitor you can click the 'name' button (this will sort it by name) and then find something named either iChat or iChat agent.

Click on the iChat/Agent and then click the Quit Processes button on the top left hand of the screen. It will ask if you want to quit it, you will click 'force quit'.



Next you want to go to system preferences (Click the apple logo on top left hand of screen and go to system prefs)

Then go to 'Accounts' and then click Login Items if you see 'iChat' or 'iChat Agent' click it and then click the delete key.


Warning: May delete files you don't need to delete
(kinda risky cause other files might be deleted accidentally)
If you want to be sure you got the iChat files you can go to your desktop, hit Apple Key + F and then in the search bar you can type iChat and search for it... then you can delete all the files that have the word iChat in them.

--MrMacMan

edit:
slow in my answers I am.
 
To the Demi-goddess iBlue and MrMacMan,

Ahhh, just what I needed -- stick pix to explain! I love Macking, yet, despite a year of devoted ownership, forums scanning, late-nite experimenting, Googling, etc., I know only what is necessary on a daily basis to keep "Spinnerz" (my iBook G4/v. 10.3.9) running healthily so my business in turn will run well.

My thanks and my indebtedness to ALL here for your gracious patience and willingness to share your wisdom (without using blunt force).

Sign me "A Blonde Treading MacWater" ;-)
 
GITANAJAVA not to worry, at lot of people are somewhat edgy at the moment but generally everyone is really helpful here.

from one blonde to another... glad to help. :)
 
Solution from Norton

Apologies if anyone has posted this before but I can't see anything in this thread. Norton have a fairly informative page on this http://securityresponse.symantec.com/avcenter/venc/data/osx.leap.a.html
Obviously they're assuming you have a Norton product installed to remove the affected files, but it gives a fair amount of information in general about the effect, and maybe even enough to enable people to manually remove the infected files.

Edit: The last paragraph at the bottom of the page says it all really - re-install the OS. (which is as good a reason for everyone to back up all their data as I can think of).
 
k

ok 2 quick ons

1 i am the only user on my mac if i create another user will all programs available to the admin be available to 2nd user ??

2 i have 10.3.9 systamatic says this thing only runs on 10.4 and intel macs is this true ?

thanks
 
Is this thing actually 2 gig? That's what it shows up as on Norton's Page.

At least, at the moment, we actually have to download/accept the file, unarchive it and run it. But I see this as a sad day for all.
 
This proof of concept attack is exactly why I've been promoting the use of a secondary LIMITED Super User Account for all your normal daily activities.

The best way to prevent something like this from happening is to use your
primary administrative account ONLY for installs and maintenance from known sources.
 
Summary?

From what I read online from different sites, here is what I have summarized. It started here on macrumors with the lastest leopard screenshot post. It install via terminal. It then scans using spotlight for the recently used apps and creates scripts/attachs to those apps and when they are activated it uses those apps to spread itself. Some site say they create duplicates of all the app it attaches to. Some say its a script, while some say its a unix shell. It only works on 10.4.5 and only infects PowerPC or was that only Intels. correct me if I am wrong or I have missed any points.

P.S. My 2 cent is that it logs in to the root account(because the root account name is root and the password is root) and install the program.

From Norton :-

OSX.Leap.A arrives on the computer as an attachment to the following iChat Instant Message:

When the recipient clicks save, the archive file is saved as latestpics.tgz:

If the user opens the archive, the file latestpics is created:

Once OSX.Leap.A is executed, it performs the following actions:

Displays the following message:

Creates the following files:

/tmp/latestpics
/tmp/latestpics.tgz
/tmp/latestpics.tar.gz
/tmp/hook
/tmp/apphook
/tmp/pic.gz
/tmp/apphook.tar
/tmp/pic

Deletes all files from the following folder:

~/Library/InputManagers

Copies /tmp/apphook to the following folder:

~/Library/InputManagers/apphook/apphook.bundle/Contents/MacOS

so that it runs every time an application starts.

Uses Spotlight to search for the four most recently used applications this month, which do not require root permissions.

Searches these files for the extended attribute oompa. If it does not find this attribute, it will infect the selected files.

Infects the selected files by copying the contents of the data fork to the resource fork of the selected file, and then copying itself to the data fork of the selected file.

Note: Due to a bug in the code, the infected files may be corrupted and may not run correctly.

Creates the extended attribute oompa and sets it to loompa.

Monitors all launched applications. Every time the iChat application is launched, the worm sends the file latestpics.tgz to all the iChat contacts.

Note: Due to a bug in the code, the worm may corrupt the file so that it appears larger than it actually is, and it may not be sent successfully.
 
OraclePhoenix said:
Some say its a script, while some say its a unix shell.
Click to expand...
"Script" = "shell script" = program written in a shell's language = program that runs in a Unix shell. It's all the same thing.

Example shell and its language: bash

Terminal is the application in Mac OS X for running shells interactively and for running shells scripts.
 
Been following with great interest

Has anyone been able to put together anything more on this since the last post?

Thanks
 
windows on mac

Hi ...I want to load windows on my mac..... does that mean that I can get viruses through my entire system or just on the windows component......and will it slow my mac down?
 
G4 with virus

Heya guys my g4 seems to have got a virus.everytime I turn it on and if connects to the net a file automatically downloads then all my apps like iChat ect open together.I download of transmission,could this have something to do with it......
 
Sweets342 said:
Heya guys my g4 seems to have got a virus.everytime I turn it on and if connects to the net a file automatically downloads then all my apps like iChat ect open together.I download of transmission,could this have something to do with it......
Click to expand...

Download iAntiVirus (free) and run a scan of your computer.

There are no viruses for OS X, only trojans, which are installed by user ignorance.
 
still no jog

Mynlaptopbis connected to the net but I can't use safari when everything opens.thing freezes up.
 
Sweets342 said:
Mynlaptopbis connected to the net but I can't use safari when everything opens.thing freezes up.
Click to expand...

Looks like it is affecting your keyboard too ;)

Woof, Woof - Dawg
pawprint.gif
 
Status
Not open for further replies.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back