Help - I have a Mac Java Worm

Discussion in 'OS X Yosemite (10.10)' started by signofthetimes, Dec 21, 2014.

  1. signofthetimes macrumors newbie

    Joined:
    Dec 19, 2014
    Location:
    connecticut
    #1
    I upgraded to Yosemite, and suddenly I ran into a ton of problems. The worst problem is that I now have a Java worm. I constantly get a pop-up, even as soon as I start my computer, that says, "To view this web content, you need to install the Java Runtime Environment. Click "More Info..." to visit the website for the Java Runtime Environment." (And then there are two buttons, "More Info..." and "OK," which is always highlighted in black.

    I have run Avast twice (it takes about 3-1/2 hours to scan the entire machine). It finds the worm in two places:
    /Library/Application Support/JavaW
    and
    /Library/LaunchDaemons/com.JavaW.plist

    The "infection details" are:
    MacOS:IWorm-B [Cryp]
    and
    MacOSIWorm-F [Trj]

    respectively.

    I've deleted them twice via Avast, but then when I re-run the test, it still finds them, not to mention I'm still getting the pop-ups.
     
  2. SandboxGeneral Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #2
    Have you looked in your Login Items in System Preferences under Users & Groups for anything that shouldn't be there?
     
  3. McGiord macrumors 601

    McGiord

    Joined:
    Oct 5, 2003
    Location:
    Dark Castle
    #3
    Have you installed all the Apple software updates ?

    Use activity monitor to see what things are running.

    Get the latest Java version from the oracle website.

    Ensure that in System Preferences in the security and privacy one you have they right settings to run only things that are from certified developers and also that the firewall is enabled.
     
  4. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #4
    No, there is no need to install Java. This is the iWorm malware. OS X has been blocking it for some time now but perhaps there's a new variation.
    http://www.intego.com/mac-security-blog/iworm-botnet-uses-reddit-as-command-and-control-center/

    ----------

    Start up in Safe Boot mode by holding down the shift key as the computer restarts. Then, once the computer is running, open those folders and manually delete the files mentioned.
    Also, be certain you're running OS X 10.10.1 and have installed any other updates you find.
    This malware is typically distributed through pirated software, so if you're using any applications which you got illegally, they will likely reinfect your computer.
     
  5. signofthetimes thread starter macrumors newbie

    Joined:
    Dec 19, 2014
    Location:
    connecticut
    #5
    Yes, that is exactly the worm I have! Except I don't use reddit.

    I do have 10.10.1. I just put Yosemite on my computer 2 days ago so that's the first version I've got. Yes the firewall is on. No, there are no users added to my computer that I can see.

    I deleted those files, so I don't see them anymore, but my computer is still infected. I will try the safe-boot thing once Avast is done with its latest round. It's nearly done, and it hasn't found the files I deleted, so that's good. On the other hand my computer is still infected, so that's bad. For example, I can't open Photoshop without getting the pop-up telling me I need to download Java to open it. Lies!

    The only pirated software I have that I can think of is Word. I got it from someone a few months ago. I haven't had any problems until I upgraded to Yosemite, though, so I'm not sure that's it. I could delete Word and see if that helps.
     
  6. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #6
    That's not malware; earlier versions of Photoshop insist on installing Java.
    http://helpx.adobe.com/x-productkb/global/install-java-jre-mac-os.html
    If you removed those files without using safe boot, they may replicate and reinstall themselves. I'm not certain of the mechanism at work there.
    iWorm has been around for several months so it could very well be that copy of Word that's your source.
    As for Reddit, the malware uses it (or tries to) on its own.
     
  7. signofthetimes thread starter macrumors newbie

    Joined:
    Dec 19, 2014
    Location:
    connecticut
    #7
    These are definitely not legit pop-ups. I wonder how I find the files, then, if I've already deleted them and don't see them in those folders anymore? I can try opening in Safe Boot later tonight and see if they appear there. What a drag. I have an appt. at the Apple Store for tomorrow night (they were booked solid today) so I'll keep everyone posted.

    The Photoshop message looks just like the virus one. It says:
    To open "Adobe Photoshop CS5.1" you need to install the legacy Java SE 6 runtime. Click "More Info..." to visit the legacy Java SE 6 download website."
     
  8. reese2147 macrumors regular

    Joined:
    Dec 2, 2013
    #8
    I also get the ""To view this web content, you need to install the Java Runtime Environment. Click "More Info..." message when I startup my iMac, but a virus scan with AVG does not show any threats. Furthermore, I do not have

    /Library/Application Support/JavaW
    or
    /Library/LaunchDaemons/com.JavaW.plist

    as an infected location. Any ideas?
     
  9. Razer(x) macrumors regular

    Razer(x)

    Joined:
    May 7, 2014
  10. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #10
    That's the standard OS X notification that you need to install Java. Photoshop CS5.1 will not run unless Java is installed.
     
  11. simonsi macrumors 601

    simonsi

    Joined:
    Jan 3, 2014
    Location:
    Auckland
    #11
    Get rid of the bootleg copy of Word and its installer file.

    You have two things going on. You have Photoshop correctly asking for JRE, that is normal behaviour for that software.

    You have a worm faking the same (but will likely install something else).

    Of course the worm pop-ups look like the real thing, most people aren't in a position to have them side-by-side but pretty sensible for the worm to fake a genuine message to add to its credibility.
     
  12. Artimus12 macrumors 6502

    Artimus12

    Joined:
    Nov 13, 2011
    Location:
    YooKay
    #12
    +1
     
  13. fisherking macrumors 603

    fisherking

    Joined:
    Jul 16, 2010
    Location:
    ny somewhere
    #13
    that's how i remember it as well...and dreamweaver in CS6 also requires java.
     
  14. signofthetimes thread starter macrumors newbie

    Joined:
    Dec 19, 2014
    Location:
    connecticut
    #14
    I tried ClamXav but it did not find anything.

    ----------

    I tried to download Java--the real thing--but I can't. It just stalls out.
     
  15. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #15

    Then you should be fine, and the malware should be gone. iWorm does not prompt to install Java, nor does it depend on Java to run, in spite of the name of the files involved.

    Is this the one you're trying to download?
    http://support.apple.com/kb/DL1572
     
  16. signofthetimes thread starter macrumors newbie

    Joined:
    Dec 19, 2014
    Location:
    connecticut
    #16
    So I went through all these steps to remove my bootleg Microsoft Office copy, since that's the only thing I can think of that might've brought in the virus: http://support.microsoft.com/kb/2398768

    I DID find these two suspicious files in the "Receipts" folder:
    com..JavaW.bom
    and
    com..JavaW.plist

    I am still getting the pop-up when I start my computer. As soon as I get to my desktop, I get the pop-up telling me I need to download Java to view the web content, yet all I've done is start my computer. I'm not trying to view any web content. It also auto-opens Chrome.

    ----------

    Yes but I tried getting it from the Java website, not the Apple website. I just tried yours but I get the same problem: it stalls out at 63.7/63.8 MB and cannot progress any further with the download. It just never moves ahead.
     
  17. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #17
    Those are just leftovers from the installer. If you sort that folder by date, what other receipts do you see with roughly the same time stamps?


    Java isn't necessarily related to web content. What do you have in your login items?

    Have you tried more than one browser?
     
  18. signofthetimes thread starter macrumors newbie

    Joined:
    Dec 19, 2014
    Location:
    connecticut
    #18
    post apple-store update

    So I brought my MacBook Pro to the Apple store tonight. The gentleman at the genius bar spent more than an hour and a half looking at it. He said he doubted it had a virus and said he didn't see any suspicious files. (I had already deleted the ones mentioned in the article.) He couldn't explain why (1) I was constantly getting Java pop-ups and (2) I could not download Java without it stalling.

    He ended up downloading an old version of Java onto a thumb drive from another machine and then put that onto my machine. It seems to have solved my problems for now. He did run some sort of diagnostic test, and he said there were some software abnormalities (files out of place), and he suggested I erase my computer and re-install from scratch. I may to that in the near future.

    As of now, the only immediate problem I am still having is that I haven't been able to get onto the websites owned by the company I work for since my Yosemite upgrade. I have had zero problems with any other websites...just the ones I NEED to access. I thought maybe after these Apple store fixes, everything would resolve, but it hasn't. I did clear my cache, but to no avail. No one else is having any troubles w/ our websites. The IT folks at my company even sent signals all around the globe--or whatever they do to test to see if their websites are working--and everything is up and running just fine. It's just me who has the problem.

    When I have more free time, I am going to back up what I want to keep and wipe clean my computer. I think that may be the solution.

    Oh, and on another note, the person who helped me said he's been working there for 3 years and has never seen this problem before (w/ the Java pop-ups), and also he checked the Apple database (whatever they use to look up problems) and said Apple Official has no record of this Java bug.
     
  19. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #19
    I'm not sure what to tell you there. It's not a bug, per se, that Adobe requires Java. I manage a lot of Macs, all with Adobe CS, and the Java prompt was the norm through CS6 if I hadn't already installed Apple's Java.
    For your other issues, try making a new user account and then do whatever you need to do with the internet as a test.
     
  20. signofthetimes thread starter macrumors newbie

    Joined:
    Dec 19, 2014
    Location:
    connecticut
    #20
    The person at the Mac store did create a test user account, but it had the same problems. Since he's installed the old Java via the thumb drive, I haven't had the pop-ups anymore. So problem temporarily fixed. It seems suspicious to me that I was getting Java pop-ups and I had those worm-y files that the article mentioned, but I suppose it's possible they weren't related problems.

    The Photoshop Java pop-up was just coming up when I tried to open PS(5.1), but the original "you need bla bla bla to view this web content" was popping up as soon as my computer finished starting up. It would auto-launch Chrome, even though Chrome shouldn't auto-launch. After he put the legacy Java onto my Mac, then I wasn't getting the pop-ups anymore, Chrome stopped auto-opening, and I was able to download things like Java (which I could not do before...it would stall out 0.1MB from the finish).
     

Share This Page