There will be no dues for 2018 until further notice, and all meetings in 2018 will be in Sequim!

Note: This Announcement can be dismissed by clicking the (magically appearing) X in the top right corner of this box.

New Mac Trojan may funnel files, screenshots

Discussion of general issues, not related to a specific Mac or iDevice operating system.
Post Reply
User avatar
Forum Member - Level 3
Forum Member - Level 3
Posts: 115
Joined: Tue Apr 12, 2011 8:03 am
Location: Sequim-Port Angeles

New Mac Trojan may funnel files, screenshots

Post by bluesky » Sat Sep 24, 2011 12:04 pm

Mac Trojan may funnel files, screenshots to distant servers

updated 01:15 pm EDT, Fri September 23, 2011

Malware currently just minor threat

A newly-detailed Trojan attack is being directed at Macs, say security firms F-Secure and Sophos. Originally spotted in late July, the Trojan relies on two pieces of malware. The first is a downloader identified as "Trojan-Dropper:OSX/Revir.A," which not only retrieves the second piece of software but repeatedly opens a Chinese PDF document -- trojan.pdf -- said to contain offensive political statements. The real purpose of the document is thought to be distracting a person while the second app is downloaded.

Nicknamed "BackDoor:OSX/Imuler.A," the second half of the Trojan configures a launch agent which keeps the malware active, and then connects to a remote server, feeding it a victim's computer username and MAC address. The server can reportedly instruct a besieged system to archive files and upload them, or else capture screenshots for upload. F-Secure comments that Imuler.A currently seems to be working badly or not at all, since it isn't receiving instructions; the company warns, though, that server may simply be in a testing phase, and could later become fully functional.

Both Sophos and F-Secure have produced updated definitions for their antivirus scanners that should cope with the Trojan. Apple has yet to push out new definitions for Lion and Snow Leopard, but the malware is said to be relatively easy to stop manually. People must first stop a process called "checkvir" in the Activity Monitor, and then delete "checkvir" and "checkfir.plist" files from their /username/Library/LaunchAgents/ directory.

Read more: ... z1YtkZJIdC
"All computers wait at the same speed."

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests