Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
The First Mac OS X Virus?
- Thread starter MacRumors
- Start date
- Sort by reaction score
Mitthrawnuruodo
Moderator emeritus
Of course you can... you can wipe the entire home folder of whatever user iis running, and probably a large portion of the /Application and /Library, too, all of it if you're an admin... but you still have to start it yourself (for now, anyway)... 😉BakedBeans said:
asherman13
macrumors 6502a
Could somebody please provide a literal step-by-step (screenshots included, if possible...) process for those who either aren't currently on a Mac (like me) and can't follow previous directions accurately or who are a bit confused by some of the previous directions?
I know that the generals have been covered, but specifics would be nice to have in one, consolidated post, covering creating a new admin user, changing admin->regular user, changing permissions for applications, etc., repairing permissions, showing file extensions, checking for .app downloads, and/or anything else I may have forgotten to help Mac users completely prevent themselves from this Trojan as much as we can with the knowledge that we have of it right now.
Thanks!
I know that the generals have been covered, but specifics would be nice to have in one, consolidated post, covering creating a new admin user, changing admin->regular user, changing permissions for applications, etc., repairing permissions, showing file extensions, checking for .app downloads, and/or anything else I may have forgotten to help Mac users completely prevent themselves from this Trojan as much as we can with the knowledge that we have of it right now.
Thanks!
danamania
macrumors member
Mitthrawnuruodo said:
As I understand it, you only get those if you double click on a data file (say an image) that has an application (let's call it "PhotoEdit") set as its default app.
Double clicking the image will then try to open the "PhotoEdit" app, and if it's the first time "PhotoEdit" has been opened from that image, it'll give you that warning. In other words, they appear for when you run a data file that then forces an application to load.
It appears this file hiding as a .jpg is an application itself, so those warnings don't apply.
dana
Mitthrawnuruodo
Moderator emeritus
Ok... I thought it was all the time... but then I rarely run new and unknown executables (especially not those posted by unknown newbies and masked as an image)... 😉iMeowbot said:
Yeah, I got it...danamania said:
...still don't know how you can mistake an application and an image file, though... 🙄danamania said:
As far as I read the different threats, I cannot discover if this Trojan effects anything on the OS X system?
Can someone plz tell it does/doesn't?
Thanks!
Can someone plz tell it does/doesn't?
Thanks!
iMeowbot
macrumors G3
If you're a new (or soon-to-be) Mac user, things are much less complicated. Simply don't use the main account for regular stuff. Create a second account and go to town -- if you just take the defaults on secondary accounts, you'll already be safe from the stuff under discussion here.
the only reason that I gave the more complicated steps was so that people who have been using their admin accounts for a while wouldn't run into weird access problems with their existing files.
the only reason that I gave the more complicated steps was so that people who have been using their admin accounts for a while wouldn't run into weird access problems with their existing files.
California said:
Nah, if he'd spent enough time on a Mac to learn how to make one of these he wouldn't say such things. and he would know you can plug in just about any mouse to a Mac...
asherman13
macrumors 6502a
iMeowbot said:
That's completely understandable, however, I'm hoping to undertake all these steps, complicated included, on my brother's computer, and, since I happen to be restricted to be using a PC right now, I'd really like some consolidated directions as to what he should do, or I should do for him when I would do this.
If anybody can provide these detailed directions, and is willing to, feel free to take some time, and if you could either post 'em or PM them to me, that would be great.
Thanks!
michaelltd
macrumors regular
PC Enthusiast said:
PC Enthusiast said:
Why are you here on Mac Rumors anyhow? I mean, why in the world would a Windows fanboy visit our domain? The answer is to waste time trolling, huh? At least get your facts straight about the Mac platform first. 😉
I'm not worried of this trojan. I've always been cautious about downloading suspicious files, as everyone should no matter which platform you're using.
i think apple should really force any user to setup 2 accounts with ever new install of OSX, and inform the user why he should not make the admin account the main one, + a popup that asks if you trust the source every time you ran an app for the first time.
How do you mean 'vulnerability'. Is installing a program a 'vulnarebility'? This isn't a virus, it doesn't install itself in the core system. This is just a program that you install like other programs. That someone just renamed the freakin' application, is all what is different from say iTunes. Just don't install something when you expect it to be a jpg. JPG does not ask for admin password, application does.mad jew said:
Mitthrawnuruodo
Moderator emeritus
Why...? Even if you've turned off the "Show all file extentions" (which in it self is a bad idea), then Finder is designed to show the .app suffix anyway, if you have an application with a period in it's name followed by a valid file suffix, like jpg, asp, html or whatever.danamania said:
Try it. Turn off file extentions, copy an application to your desktop (or wherever), i.e. Preview.app. That will then show up as Preview. But if you rename it to Preview.jpg it will suddenly show as Preview.jpg.app, even showing file extentions are off...
This is not a new trick, people... 🙄
danamania
macrumors member
Mitthrawnuruodo said:
*but* not all executables are .apps - .apps are one specific kind of bundle that's executable.
Other executables are just files with the x (execute) bit set, so they won't appear as .app because there is no extension on the filename to begin with. The program in this case (according to http://www.ambrosiasw.com/forums/index.php?showtopic=102379 ) is one of these kind of non .app executables just called "latestpics" with nothing else in the filename.
On top of that, file extensions are turned off by default in Tiger so default users are used to using those default settings on their default desktops - they'll see a default preview jpeg icon with the default no extensions, just like all other jpegs that have passed by their desktop with no extensions and a default preview jpeg icon
Mitthrawnuruodo
Moderator emeritus
danamania
macrumors member
Mitthrawnuruodo said:
Since OSX doesn't show .jpg (or any other extensions) by default, to most people it'll look exactly like all the other valid jpegs.
It won't catch out people who're alert and who have modified their settings to show extensions, or to give images preview icons, or who have set a few other non-default settings - but that's not most of us!
Even then plenty of valid jpegs can be saved with no file extension, especially if you're an old-world mac user who's come to OSX from os9 or before where nothing needed a file extension and creator/type codes in the resource fork handled all the file ID for you 🙂
No virus, guys...
Just to let you know, I used to be moderator of a Mac-related forum in Brazil, and we were always trying to enforce strict policies regarding pirated files and piracy links in the forum.
This caused great "commotion" among some users that pretended to be hacker wannabes or piracy supporters...in reaction, they sent to all moderators (under fake email addresses, of course) a UNIX script disguised under PDF format, saying that it was a new "manual for moderators" or so...
At that time I was working like crazy, and just opened the file on my iBook without checking anything...if I recall correctly, it did not ask for my password because I was probably in that 5-min grant period after logging in with my username...bottomline? The script worked and erased some of my Home files (mainly my email account and user configs)...this was annoying, of course, but fortunately I had a fairly recent backup of my messages.
What I wanna say is that this is NOT a virus, but simply a case of social engineering trojan...this can happen to any OS, because it's simply working on the grounds of a user's action (and authorization). Just be careful as you normally are, guys...
Just to let you know, I used to be moderator of a Mac-related forum in Brazil, and we were always trying to enforce strict policies regarding pirated files and piracy links in the forum.
This caused great "commotion" among some users that pretended to be hacker wannabes or piracy supporters...in reaction, they sent to all moderators (under fake email addresses, of course) a UNIX script disguised under PDF format, saying that it was a new "manual for moderators" or so...
At that time I was working like crazy, and just opened the file on my iBook without checking anything...if I recall correctly, it did not ask for my password because I was probably in that 5-min grant period after logging in with my username...bottomline? The script worked and erased some of my Home files (mainly my email account and user configs)...this was annoying, of course, but fortunately I had a fairly recent backup of my messages.
What I wanna say is that this is NOT a virus, but simply a case of social engineering trojan...this can happen to any OS, because it's simply working on the grounds of a user's action (and authorization). Just be careful as you normally are, guys...
mdavey
macrumors 6502a
Tymmz said:
Yes. It is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. It is also a worm - it sends itself to other hosts (via iChat and possibly via email and other IM).
It remains to be seen whether it is benign or destructive (malignant - with a delayed 'bomb' payload).
Fortunately, the virus doesn't currently* seem to exploit an OS vulnerability and so requires a social trick (disguising itself as a picture) or a recently-authorised computer in order to affect its host. It probably isn't coincidence that it was posted at the same time people were updating to 10.4.5.
*I say currently as it is now only a matter of time before the original author or another cracker exploits an OS vulnerability to bypass the reliance on social trickery.
Mitthrawnuruodo
Moderator emeritus
Yes, but they wouldn't necessarily show up with a jpeg icon, now, would they...? Most of those old school files show up with a "blank sheet" icon, until you tell them what application they should be assosiated with... 😉 So I would be suspicious when I saw a file from the net without suffix, and even more so if it appeared to be assosiated with an application...danamania said:
But again... even if you are oblivious to all the little modifications you can do to make your system even more secure, and run from an admin account, without a firewall, no file extentions showing, etc, if you download anything from an unknown source, unzip and untar it and then continue to double-click to open it, without at least examine it to see what it actually is, then you really shoudn't be operating any computer, at least not on-line, should you...?
You cannot protect people from their own stupidity... no matter how hard you try... that's what social engineering is all about... 😉