Trojans on my MBP - what do I do?

Discussion in 'Mac Basics and Help' started by cybergranny, Mar 28, 2009.

  1. cybergranny macrumors newbie

    Mar 28, 2009
    I’m a fairly new escapee from the Windows-PC camp. I’ve run into a problem with my MBP that I can’t work through on my own. I’m hoping that someone here will take great pity on me and help me solve it, and hopefully, to learn something from this experience, too.

    About 2 weeks ago I learned that one of my credit card numbers had been stolen and used. I had used it for limited internet shopping at sites I know and trust, but I ran a virus checker on the computer anyway.

    My MBP has both mac and windows running on Boot Camp. I ran ClamX on the mac side, and it identified 4 instances of Trojan.Zlob attached to a “MediaTubeCodec” on emails found in Trash. (I had deleted the emails without opening them as soon as they came in.) The files were removed to Quarantine. My understanding is that this is a windows trojan, so no harm done but possibly anemail threat to my windows-using friends.

    Then I checked my email and noticed an odd header on an incoming message. I found that it also contained an attachment that had been scanned and stripped of the virus W32/MyDoom-O. By the end of the day, 3 more emails came in with similar infected files, each one a zipped text file carrying the same virus. Again, no harm done . . . but now I was getting that old Microcrap-PC feeling back again, so I ran deep scans on both the mac and the windows sides.

    ClamX found nothing new on the mac side. And on the windows side Avast AV (free edition) did not find anything there, but it did find ClamX’s quarantined files and another virus on the mac side. Avast identified the new virus as a virus/worm named Body Count -1078, located on the mac hard drive at \private\var\vm\sleepimage.

    I could see the mac’s sleepimage file and the \private\ folders from the windows side, but I could not see any of it in Finder on the mac side. I researched Body Count-1078 and learned that it is also called IFOR.1078, and that it is a DOS-based File Infector. I assume it won’t hurt anything on the mac side, but I want to get all this garbage out of here!

    I searched these forums for answers, but my brain started smoking and I could smell something burning inside my head, so I decided to write to the forum and get some advice from the learned and the wise.....

    How can I get rid of this infected file if I can’t see it on the mac side?
    And if I can’t get rid of it, will I infect my windows-using email buddies?
    Am I even safe to go out in cyber-public with this on my computer?
    Can any of these infected files have anything to do with my stolen credit card?
    And why-oh-why is my MBP under such attack lately?
    And can anybody tell me where odd socks go when they disappear in the dryer?

  2. BlueRevolution macrumors 603


    Jul 26, 2004
    Montreal, QC
    It's in one of OS X's hidden folders. The file you mentioned is where Mac OS X saves the contents of its memory when it goes to sleep. The trojan was in your system's memory, possibly because Mail loaded the message. That's a little troubling to me, but as it's for DOS it shouldn't affect you anyway.

    Open a new Terminal window and type

    sudo rm /private/var/vm/sleepimage

    (By the way, *nix systems like Mac OS X use forward slashes instead of backslashes in paths.)

    Not unless you deliberately forward an infected message to them.

    When running OS X, yes.

    Not on the Mac side. Have you used your credit card while on Windows?

    Where did the messages come from? It's possible that one of your contacts is infected.

    I eat them.

    Yours are particularly delicious.
  3. Jethryn Freyman macrumors 68020

    Jethryn Freyman

    Aug 9, 2007
    By the way, those trojans you have are Windows-only.
  4. neonblue2 macrumors 6502a

    Aug 25, 2006
    Port Pirie, South Australia
    Do you have MacDrive installed? I just find it odd you can see the Mac partition from Windows.

    Unfortunately this is one of the perils of running such software.
  5. cybergranny thread starter macrumors newbie

    Mar 28, 2009
    Thank you for your help!

    BlueRevolution: I entered the text in Terminal -- twice, because I wasn’t sure if anything good had happened. A message like “your problems are solved and now you are wealthy” would have been a nice touch, but what it said was that it couldn’t find the file or directory. So I assume that it has all been deleted.

    I don’t do anything on the windows side if I don’t have to, and never anything risky like use a credit card online. I don’t even retrieve email through windows. I think unsolicited email attachments coming to the mac side is the only way these trojans can be coming in. I’m relived to know that I won’t be passing them on.

    neonblue2 - I do have MacDrive installed on the windows side.

    Does MacDrive cause a security risk?
    Is it possible for the mac side to be accessed and compromised from the window side?

    BlueRevolution: I am shocked to learn that you are eating the missing socks. I went for years thinking that they were somehow transforming into those little balls of fluff that run around under the couch and bed. How could I have been so wrong? But I am flattered that you say that mine are particularly delicious. I must try them. I wonder if a bit mustard on the toe would be in order? A bit of spicy Dijon, perhaps?
  6. BlueRevolution macrumors 603


    Jul 26, 2004
    Montreal, QC
    Yes, it has. *nix systems rarely give you confirmation of success, just errors on failure. If you run a command and it just goes to the next line, the command worked.

    I actually gained one sock when I did laundry today. It was the strangest thing.
  7. cybergranny thread starter macrumors newbie

    Mar 28, 2009
    It is a gift, for all your kind help and explanations!

Share This Page