My Mac has been infected with a Trojan

[sirozha]

This is the first time for me. I was watching Olympic figure skating (DVR'ed) and saw Johnny Weir having his name written in Russian on his skates. So, I wanted to google him and see why his skates had Russian spelling of his name. I guess I clicked on a link to a Russian web site and immediately got a message that my computer was infected with a virus and offering to scan my Mac. I tried to click on cancel, but what I saw was an image of Windows Explorer. So, I figured, hey this is a Mac, so nothing serious had happened, but then I noticed that Safari was downloading a file. I tried to stop the download, but it would not stop. Then, I was able to force quit Safari (after several unsuccessful attempts) and then deleted the downloaded .exe file (which I was able to stop in the middle of the download by force-quitting Safari). But then I noticed that my network drives were no longer visible, so I restarted the Mac, and had all kinds of problems trying to connect to my network drives. Finally, after deleting the .exe file and emptying the trash can, I decided to get some program to scan my Mac for viruses or Trojans. Well, I stumbled upon Kasperski for Mac, which apparently was just released. They offer a 30-day free trial version, which can be extended past the 30 days by purchasing their software for XXX/year (redacted by author due to objections) for one license or YYY/year (redacted by author due to objections) for three licenses.

After configuring Maximum Protection and running the Full Scan, about 40% into the scan (about 40 minutes), Kasperski started popping alert messages about the codec.exe Trojan. I have just googled this Trojan and came across the following Wikipedia article:
http://en.wikipedia.org/wiki/Zlob_trojan

So, this is a warning for everyone that it is possible to get your Mac infected just by clicking on a legitimately looking link on a Google search page. I don't know how serious this Trojan is (sounds pretty serious from the Wikipedia article), but I can vouch for the fact that my Mac suffered some serious disruptions due to the infection. Supposedly, this Trojan was developed by the Russian Business Network (RBN), which is an outfit connected to the Russian Mob and is considered to be the "baddest of the bad" by Verisign. Here's the Wikipedia article on this outfit:
http://en.wikipedia.org/wiki/Russian_Business_Network

Strangely enough, my Time Machine kicked in while Kasperski was doing the Full Scan of my Mac, and Kasperski found the codec.exe on my Time Machine volume in tonight's backup. I am not sure if Kasperski launches Time Machine during every Full Scan, or I was just lucky that my Time Machine volume was mounted while Kasperski was running, so it went ahead and scanned that volume as well.

I have never heard of this happening to anyone else. I am going to continue to run Kasperski for 30 days that the trial version is authorized for, and then I will make my decision on whether or not to purchase the annual subscription for 3 Macs in my household. (Comments by author: don't be so paranoid - this is not an ad).

Edit: Actually, forget about everything I said here and continue using your Mac without any protection.

 

[mac2x]

Unless you have Windows in some form on your Mac, an .exe will be harmless as OS X cannot do anything with one. Just delete it. All it does is mess with the DNS settings to redirect your viewing to p0rn sites.

 

[sirozha]

Unless you have Windows in some form on your Mac, an .exe will be harmless as OS X cannot do anything with one. Just delete it. All it does is mess with the DNS settings to redirect your viewing to p0rn sites.

The .exe file that Safari tried to download (and which I later deleted) was not the same file as codec.exe that Kasperski found. So, this Trojan is not as innocuous as you make it sound. The Trojan (codec.exe) is identified by Kasperski as "Trojan-Downloader.Win32-FraudLoad.dzc". Kasperski is still running, so I don't know if it will find anything else.

 

[mac2x]

Under OS X an MS-DOS executable is completely innocuous. It cannot be run. Still, you're following the correct course of action to seek out anything bad that might have been downloaded.

 

[NewMacbookPlz]

The .exe file that Safari tried to download (and which I later deleted) was not the same file as codec.exe that Kasperski found. So, this Trojan is not as innocuous as you make it sound. The Trojan (codec.exe) is identified by Kasperski as "Trojan-Downloader.Win32-FraudLoad.dzc". Kasperski is still running, so I don't know if it will find anything else.

Kaperski found it because it searches for Windows trojans/viruses etc to make sure you don't pass it to a Windows computer via network or whatever. The fact that it has "Win32" as the file name and .dzc is a Windows executable.

Don't worry, just delete it and you'll be fine. You're not infected with anything. It IS just as innocuous as he said it is.

 

[sirozha]

Under OS X an MS-DOS executable is completely innocuous. It cannot be run. Still, you're following the correct course of action to seek out anything bad that might have been downloaded.

Kasperski just found another Trojan - "Packed.Win32.Krap.an", which looks like install.exe - both on my Mac's hard drive and on the Time Machine volume. So, I guess it can actually launch Time Machine and scan the backups, which is pretty cool.

 

[mac2x]

Kasperski just found another Trojan - "Packed.Win32.Krap.an", which looks like install.exe - both on my Mac's hard drive and on the Time Machine volume. So, I guess it can actually launch Time Machine and scan the backups, which is pretty cool.

I might have to give that a try if I ever get into that situation because I don't want someone's crapware taking up space even if it does do nothing to my machine!

Rest assured, though, that your Mac isn't infected. There actually was an OS X version of the Zlob trojan, but it's old news nowadays. And it primarily targeted users who were already surfing the p0rn sites.

http://news.cnet.com/8301-13579_3-9808489-37.html?tag=mncol;txt

 

[richard.mac]

… got a message that my computer was infected with a virus and offering to scan my Mac. I tried to click on cancel, but what I saw was an image of Windows Explorer. So, I figured, hey this is a Mac, so nothing serious had happened …

scam to get windows users to download trojan disguised as fake antivirus software.

… Safari was downloading a file. I tried to stop the download, but it would not stop. Then, I was able to force quit Safari (after several unsuccessful attempts) and then deleted the downloaded .exe file (which I was able to stop in the middle of the download by force-quitting Safari). …

the downloaded .exe is a trojan and will infect windows if installed, but will not infect your Mac.

… network drives were no longer visible, so I restarted the Mac, and had all kinds of problems trying to connect to my network drives. …

coincidence.

sorry for the overly concise answer . its just that this was a big post to quote and im sure other members will contribute the facts.

 

[GGJstudios]

So, this is a warning for everyone that it is possible to get your Mac infected just by clicking on a legitimately looking link on a Google search page.

This is false. Mac OS X cannot be infected by a trojan "just by clicking on a legitimately looking link". While clicking a link may trigger a download, you have to actively launch and install the downloaded file before your system could be infected. Also, as others have said, .exe files are Windows executable files and cannot run in Mac OS X. It's not wise to "warn" people of threats when you don't know what you're talking about.

 

[sirozha]

This is false. Mac OS X cannot be infected by a trojan "just by clicking on a legitimately looking link". While clicking a link may trigger a download, you have to actively launch and install the downloaded file before your system could be infected. Also, as others have said, .exe files are Windows executable files and cannot run in Mac OS X. It's not wise to "warn" people of threats when you don't know what you're talking about.

You obviously think you are the best thing that happened to the world since sliced bread. I know what I am talking about. I know that Mac OS does not run .exe files. I have been in IT for 17 years, and have a Bachelor's in Computer Science and Applied Math.

The Kasperski is still running, and I don't know what else it is going to discover. What I am telling you is that I lost access to my RAID server (both AFP and CIFS), and even when I restarted the Mac, it could not connect to the server, AFP was missing, Time Machine volume was not available, and CIFS could only log in as Guest (with most network shares not visible). I had to do a bunch of stuff just to get my network volumes to become accessible again. I had used my network volumes minutes before I clicked on that link. So, it is NOT a coincidence - I have been having reliable connection to the RAID server's shares since I installed Snow Leopard (months ago).

 

[mac2x]

You obviously think you are the best thing that happened to the world since sliced bread. I know what I am talking about. I know that Mac OS does not run .exe files. I have been in IT for 17 years, and have a Bachelor's in Computer Science and Applied Math. So, shut up!

The Kasperski is still running, and I don't know what else it is going to discover. What I am telling you is that I lost access to my RAID server (both AFP and CIFS), and even when I restarted the Mac, it could not connect to the server, AFP was missing, Time Machine volume was not available, and CIFS could only log in as Guest (with most network shares not visible). I had to do a bunch of stuff just to get my network volumes to become accessible again. I had used my network volumes minutes before I clicked on that link. So, it is NOT a coincidence - I have been having reliable connection to the RAID server's shares since I installed Snow Leopard (months ago).

No my good mate, I think you can only say it was a coincidence unless/until Kaspersky uncovers something that will run under OS X. Which I don't think is going to happen. You sound like you'd be (hopefully) smart enough to not install an unfamiliar .dmg or .pkg, so you are very likely in the clear.

 

[GGJstudios]

You obviously think you are the best thing that happened to the world since sliced bread. I know what I am talking about. I know that Mac OS does not run .exe files. I am have been in IT for 17 years, and have a Bachelor's in Computer Science and Applied Math....

When you more than double your years of experience in IT, you'll almost catch where I am now, as if that matters.

If you knew what you're talking about, you would know that the trojan you described, even if you were foolish enough to install it, does not do any of the things you described. The Zlob Trojan you provided a link about does not run in Mac OS X and has zero effect on your system. The group that created Zlob have also created a Mac trojan with similar behaviours (named RSPlug), which, if installed, changes the system's DNS settings to redirect web browsing to pornographic web sites. Neither the Windows nor the Mac versions have anything to do with access to your RAID servers. Their payloads have to do with browsers and web browsing, not network devices or RAID servers.

 

[coolmacguy]

lmao at the OP reciting his resume after being called out on his incorrect info.

No need to get so defensive man, we learn new things everyday.

 

[sirozha]

When you more than double your years of experience in IT, you'll almost catch where I am now, as if that matters.

If you knew what you're talking about, you would know that the trojan you described, even if you were foolish enough to install it, does not do any of the things you described. The Zlob Trojan you provided a link about does not run in Mac OS X and has zero effect on your system. The group that created Zlob have also created a Mac trojan with similar behaviours (named RSPlug), which, if installed, changes the system's DNS settings to redirect web browsing to pornographic web sites. Neither the Windows nor the Mac versions have anything to do with access to your RAID servers. Their payloads have to do with browsers and web browsing, not network devices or RAID servers.

Well, first of all, I have Windows installed in VMWare, which uses GHFS to communicate with the Host OS. I use Windows for financial software for my business. Once a few Trojans or viruses get downloaded to my Mac (in various folders, by the way) after I click on a link in a Google search page, it is very possible I may get them on my Guest OS (Windows), where it will most likely wreak havoc. Secondly, of course Zlob has nothing to do with access to RAID servers. Frankly, access to RAID severs has nothing to do with what I have described. I had problems accessing my network shares (which happen to be on a RAID server). So, please stop your condescending tone and go watch Olympics. I don't need your comments here.

My Mac lost AFP completely and got passwords stored in Keychain for access to network shares screwed up. Don't ask me how this could have happened - I don't know. This is the whole point why I am posting this here. This was not just an .exe file download; this actually looked like a full-blown attack - similar to what I experienced when being infected in Windows. I could not force quit Safari (I actually had to force the reboot of the Mac). I could not stop the download - it would continue downloading even though I kept trying to cancel it, etc. It is true, though, that Zlob did not modify my DNS, so I am not having any redirects to p0rn sites.

 

[GGJstudios]

...I don't need your comments here.

My comments were not for your benefit. They were for the benefit of those who might have been gullible enough to believe your false statement. If you post misinformation, someone needs to state the facts, so less experienced users won't be misled.

Don't ask me how this could have happened - I don't know.

My point exactly. It would have been better if you had said that in the beginning.

 

[mac2x]

Well, first of all, I have Windows installed in VMWare, which uses GHFS to communicate with the Host OS. I use Windows for financial software for my business. Once a few Trojans or viruses get downloaded to my Mac (in various folders, by the way) after I click on a link in a Google search page, it is very possible I may get them on my Guest OS (Windows), where it will most likely wreak havoc. Secondly, of course Zlob has nothing to do with access to RAID servers. Frankly, access to RAID severs has nothing to do with what I have described. I had problems accessing my network shares (which happen to be on a RAID server). So, please stop your condescending tone and go watch Olympics. I don't need your comments here.

My Mac lost AFP completely and got passwords stored in Keychain for access to network shares screwed up. Don't ask me how this could have happened - I don't know. This is the whole point why I am posting this here. This was not just an .exe file download; this actually looked like a full-blown attack - similar to what I experienced when being infected in Windows. It is true, though, that Zlob did not modify my DNS, so I am not having any redirects to p0rn sites.

Why didn't you say so in the first place? You do have an element of risk since you have Windows on your machine.

A Windows worm has absolutely positively nothing to do with your Mac messing up. And I've had it with you...you obviously know everything.

 

[sirozha]

lmao at the OP reciting his resume after being called out on his incorrect info.

No need to get so defensive man, we learn new things everyday.

I am not reciting my resume - I just don't like the condescending tone used by the geniuses who think everyone else is an idiot. I have too much of that crap happening at work, and most of these geniuses are total losers when it comes to fixing real problems or designing anything worthwhile. So, 35 years of experience in Help Desk really makes him an expert, I guess.

 

[DoFoT9]

You obviously think you are the best thing that happened to the world since sliced bread. I know what I am talking about. I know that Mac OS does not run .exe files. I have been in IT for 17 years, and have a Bachelor's in Computer Science and Applied Math. So, shut up!

The Kasperski is still running, and I don't know what else it is going to discover. What I am telling you is that I lost access to my RAID server (both AFP and CIFS), and even when I restarted the Mac, it could not connect to the server, AFP was missing, Time Machine volume was not available, and CIFS could only log in as Guest (with most network shares not visible). I had to do a bunch of stuff just to get my network volumes to become accessible again. I had used my network volumes minutes before I clicked on that link. So, it is NOT a coincidence - I have been having reliable connection to the RAID server's shares since I installed Snow Leopard (months ago).

When you more than double your years of experience in IT, you'll almost catch where I am now, as if that matters.

If you knew what you're talking about, you would know that the trojan you described, even if you were foolish enough to install it, does not do any of the things you described. The Zlob Trojan you provided a link about does not run in Mac OS X and has zero effect on your system. The group that created Zlob have also created a Mac trojan with similar behaviours (named RSPlug), which, if installed, changes the system's DNS settings to redirect web browsing to pornographic web sites. Neither the Windows nor the Mac versions have anything to do with access to your RAID servers. Their payloads have to do with browsers and web browsing, not network devices or RAID servers.

im sorry OP, but GGJstudios knows what he is talking about.

yes the file may download, but it will not execute by itself. and EVEN IF IT WAS a .dmg, but you still get a prompt which asks you if you wish to run it.

you dont seem to know much about macs either, cuz macs dont really need anti-virus programs of all my net searching ive never come across a mac-specific virus. most mac anti-virus programs just search for the common windows viruses that may be spread via emails or whatever.

im sorry but im afraid you are wrong in this situation unless you can specifically show us the file that infected your computer. you said you only had a .exe file download, which you know wont infect our computers.

show us where we are wrong?

 

[GGJstudios]

I am not reciting my resume - I just don't like the condescending tone used by the geniuses who think everyone else is an idiot. I have too much of that crap happening at work, and most of these geniuses are total losers when it comes to fixing real problems or designing anything worthwhile. So, 35 years of experience in Help Desk really makes him an expert, I guess.

I never claimed to be an expert, nor did I say I spent 35 years in Help Desk. I simply and accurately said that "Mac OS X cannot be infected by a trojan 'just by clicking on a legitimately(sp) looking link'", as you had falsely claimed.

 

[sirozha]

Why didn't you say so in the first place? You do have an element of risk since you have Windows on your machine.

A Windows worm has absolutely positively nothing to do with your Mac messing up. And I've had it with you...you obviously know everything.

I actually have no beef with you, so I don't know why you are getting involved in this. I don't obviously know everything. If I did, I would not be posting here.

The results of the Full Scan by Kasperski:
Two Trojans were found - both .exe files - in several different locations.

Kasperski did not find anything else. The fact that the Trojans got to the Time Machine backup volume does not give me a warm feeling. I cannot explain why AFP on the Mac got screwed up when the Trojans were downloaded by Safari. Neither can I explain why my AFP and CIFS credentials stored in Keychain became corrupted after I realized I got the Trojans. This was posted here to let people know that this can occur on a Mac. I have been using Macs at home for over two years now, and this is the first time this has happened to me. I think I am going to install Kaspreski on the other two Macs at home and run it for a month to see if there is any performance hit. If not, I will probably go ahead and buy an annual subscription package for 3 Macs.

I really did not enjoy all the flaming that my post invoked. Too bad rudeness is considered a virtue here.

 

[GGJstudios]

I really did not enjoy all the flaming that my posted invoked. Too bad rudeness is considered a virtue here.

No one flamed you and no one was rude to you. You posted an inaccurate and misleading statement. The facts were posted to correct the misinformation. If you take offense to that, that's your problem.

 

[coolmacguy]

The results of the Full Scan by Kasperski:
Two Trojans were found - both .exe files - in several different locations.

Kasperski did not find anything else. The fact that the Trojans got to the Time Machine backup volume does not give me a warm feeling.

:bangs head:

It doesn't matter in the slightest where those trojans were stored on your Mac or when, since they are .exe files and cannot affect anything.

I really did not enjoy all the flaming that my post invoked.

Everyone else hasn't really enjoyed your attitude in this thread. No one flamed you. A flame is a derogatory remark delivered with malicious intent. The other posters in this thread attempted to provide you with accurate information that would allow you to better understand your problem, and they did so. You just took offense to that for some inexplicable reason.

 

[mac2x]

I actually have no beef with you, so I don't know why you are getting involved in this. I don't obviously know everything. If I did, I would not be posting here.

Glad to hear it...however, from what I've seen of GGJ's posts, he knows his stuff, so I wouldn't brush him off as some sort of pseudo genius if I were you.

 

[GeneKam]

To Thread starter: exe CANT run natively under osx as described above, they are completely harmless. As a fellow IT you know that unix and dos are not the same, therefore exe is just an alien file that just uses a bit of space. The core of OS is very different so i dont know why the panic

Also the time machine backs up everything every 15 min ( i believe), so thats how it got there. Its automated backup of all your latest files. Thats ho it got down there. I mean its not pleasant to have them as they just waste space.

DONT BE STUPID, dont buy kaspersky, use spotlight to search for .exe files and bam delete all the foreign once, money saved.

 

[mac2x]

Time Machine backs up hourly.