Help! I downloaded the Trojan. Now what do I do?

Discussion in 'Mac Basics and Help' started by Ceyx, Feb 16, 2008.

  1. Ceyx macrumors newbie

    Joined:
    Feb 15, 2008
    #1
    I just got a new iMac with Leopard installed and clicked on a link that was very similar to this (that I found quoted at chinwong.com/index.php/site/comments/mac_attack/):

    ""OSX.RSPlug.A, has been found on a number of pornographic Web sites, the security company Intego reports.

    “A great deal of spam has been posted to many Mac forums, in an attempt to lead users to these sites,” Intego warns. When they arrive at these sites, they will see still photos, purportedly from free porn videos. But if they click on them, they will receive this message: “Quicktime Player is unable to play movie file. Please click here to download new version of codec.”"

    ***It was not a porno site, but was in fact a google search result that was shown as linking to my website! It downloaded 5 "setup.exe" files, which I deleted, and forgot about. I later Googled the URL and found it was recently listed as known and dangerous malware domain. But before I knew that I went to create a .Mac account and it said I should check Software Update, which I did and it gave me two updates (and for which I had to enter my administrative password). It ran the updates and said I'd have to restart, to which I said yes, but a Windows Crossover program was running at the time which cancelled the automatic restart, so I was prompted to quit the program and manually restart, which I did . When the computer restarted it said I had two updates that needed to be installed, which I thought was strange, as I thought they had already been installed, but I said okay to that anyway. Then it started progress bars and was taking a long time, saying, "writing files", which it did to 100%. Then it said "patching files" , and I thought that was really fishy, as I'd never seen anthing like that before on a Mac, so I shut the computer down. When I rebooted, I got the gray kernel panic window that says "you need to restart your computer. Hold down the power key for a few seconda or press the Restart button." in four different languages. I unplugged the computer and an external back-up drive.

    What should I do now? I don't have any anti-virus software installed.

    Any assistance would be more than greatly appreciated! I have tons of data on the drive that is not backed up! Many thanks in advance!
     
  2. MarkMS macrumors 6502a

    Joined:
    Aug 30, 2006
    #2
    The 5 .exe files you got, when visiting a site that was linking to your site, are probably harmless in Leopard. Even with Crossover, unless you double-clicked the files, it shouldn't have done any damage to your iMac.

    To be sure you caught the trojan, you need to go into System Pref>Network panel. When in the network panel, click on either Airport or Ethernet (which ever one you use on a daily basis) and click "Advanced ...". From there, go to the DNS tab and see what kind of DNS servers and Search domains have been added.

    You should only have one address in the DNS section that should begin with a 192.168.X.X. For the trojan it adds 85.255.X.X addresses.


    Here is a Symantec entry that talks about this.

    Here is another from MacWorld on how to detect it and remove the trojan.

    Anyway, just remember to always backup files on a regular basis, enable the firewall, untick the "Open Safe Files" in Safari preferences, and never run in an admin account on a daily basis. To read more about these tips and why you should use them can be found on Princeton's site. It's much easier to read than those security sites .pdf papers.

    Hope this helps!
     
  3. Morod macrumors 68000

    Morod

    Joined:
    Jan 1, 2008
    Location:
    On The Nickel, over there....
    #3
    MarkMS posts:
    "untick the "Open Safe Files" in Safari preferences"

    Thanks for the advice, Mark. I never would've stumbled across this box. Now a question. If I untick this box and download a "safe" file, how do I open it? Go to the download folder in Finder and double-click it? If there was a Trojan, wouldn't it still activate once I opened the file?
    Thanks for any help,
    Morod
     
  4. MarkMS macrumors 6502a

    Joined:
    Aug 30, 2006
    #4
    Yes, for safe files, just double-click it.

    If the trojan was disguised as a "safe" file and you opened it, yes it would still activate. That's where the "don't run the admin account unless you have to" comes into play. The first account that OS X makes (whether it's from reinstalling OS X or getting a new Mac), is the admin account. You need to go into System Prefs and make a new "standard" account. Only difference is that you have to authenticate more often.

    For example, let's say you downloaded Firefox. On the admin account, all you have to do is double-click the file and then insert Firefox into the Applications folder. In the standard account, once you double-click and drop the file into the Applications folder, a dialog box will pop up and ask you to authenticate. All you have to do is insert your admin username and password. All it took was an extra 3 seconds to install the program.

    In the event that you do double-click on a trojan in the standard account, the same dialog box will pop up and let you know that it wants to install something. What makes it so obvious that the file is a trojan is that the file is usually a .jpg or .mp3 file with a hidden extension. All you have to do is ask yourself, why would a .jpg, .mp3 or .pdf file want to install something on my computer? At that time, all you do is hit cancel, drop the infected file into trash and empty it. In the admin account, the file may start installing stuff in the background without you even knowing.

    There was a trojan (OSX.Leap.A) back in 2006 that you may want to read on. Did the same thing I'm talking about, but was spread on Mac forums. It's a decent Wikipedia entry if you want to learn more.

    Hope this helps!
     
  5. Morod macrumors 68000

    Morod

    Joined:
    Jan 1, 2008
    Location:
    On The Nickel, over there....
    #5
    Again Mark, thank you. Unfortunately, since getting my iMac, I have been running it in the Admin account. I have now created a new standard account and will log into it.
    This did help, immensely!
    Morod

    PS... How do I find out my admin username? I remember the password, but the username could be one of several. Is it someplace I can find it? And sorry for the totally noob question.
     
  6. Morod macrumors 68000

    Morod

    Joined:
    Jan 1, 2008
    Location:
    On The Nickel, over there....
    #6
    Sorry for the trouble, Mark! I found my username.
    But again, thanks for your time and advice!
    Morod :)
     
  7. MarkMS macrumors 6502a

    Joined:
    Aug 30, 2006
    #7
    No problem! As for finding out the username, just go into System Prefs>Accounts and on the left side it should have a list of accounts. The admin username should be the one with the word "Admin" underneath it.

    UPDATE: Posted too late. Glad you figured it out! :)
     
  8. Strom1 macrumors regular

    Strom1

    Joined:
    Feb 1, 2008
    Location:
    NY
    #8
    Administration account?

    If I'm the only one using the computer is it necessary to create a non admin account,what's the major problem if a continue to run under my Administration account?
     
  9. Frisco macrumors 68020

    Joined:
    Sep 24, 2002
    Location:
    Utopia
    #9

Share This Page