Jay-Lee

Q: Please Help! Finder is displaying strange codes such as N80 and N201

I think I may have this Java Trojan virus that many have been talking about, in which the most common attribute of it is that it makes my Finder display folder names as N80, N81, etc.... in replacement of titles such as 'Open Finder' and 'Empty Trash'

 

Here are some screen caps of the problem.

 

Screen shot 2012-03-02 at 4.00.42 PM.jpgScreen shot 2012-03-02 at 4.00.51 PM.jpg

 

Screen shot 2012-03-02 at 4.01.22 PM.jpg   

 

I have tried a few things, such as Repair Disk Permissions, restarting, and logging off, but to no success.

 

Any suggestions/ ideas would be greatly appreciated, as I am concerned this might be the Java Trojan virus, and wish to restore my mac to what it was before.

 

I have a Mac OS X 10.6.6

 

Thanks!  Lucy

MacBook, Mac OS X (10.6.6)

Posted on Mar 2, 2012 12:23 AM

Close

Q: Please Help! Finder is displaying strange codes such as N80 and N201

  • All replies
  • Helpful answers

first Previous Page 3 of 3
  • by janetfrommountainview,

    janetfrommountainview janetfrommountainview Mar 2, 2012 11:56 PM in response to X423424X
    Level 1 (0 points)
    Mar 2, 2012 11:56 PM in response to X423424X

    Disregard.

  • by MadMacs0,

    MadMacs0 MadMacs0 Mar 2, 2012 11:58 PM in response to X423424X
    Level 5 (4,791 points)
    Mar 2, 2012 11:58 PM in response to X423424X

    X423424X wrote:

     

    What a mess.  And I I still don't know where all these people are downloading this thing from.

    This is the only one that I've heard anything about: http://www.google.com/safebrowsing/diagnostic?site=vegweb.com

  • by X423424X,

    X423424X X423424X Mar 3, 2012 1:30 AM in response to MadMacs0
    Level 6 (14,237 points)
    Mar 3, 2012 1:30 AM in response to MadMacs0

    I don't understand that link.  It just gets hung up with google safebrowsing and no way past it. veweb.com is just a recipe web site (I guess) and uninteresting.

  • by MadMacs0,

    MadMacs0 MadMacs0 Mar 3, 2012 1:42 AM in response to X423424X
    Level 5 (4,791 points)
    Mar 3, 2012 1:42 AM in response to X423424X

    An infected user said he was looking at a soup recipe there when he was infected. I took a look at the page, but it's clean now (he was infected on the 22nd). So I took a look at safe browsing and it said that the vegweb site had been serving up malware including 477 Trojans, so I think the chances are good he got it there. The site must be easy to hack so they pick some popular pages and put there Java Downloader applet there, bring their server up for a few hours to serve the rest of the Trojan then see what happens. They are probably subscribed to read this, as we speak.

  • by X423424X,

    X423424X X423424X Mar 3, 2012 1:48 AM in response to MadMacs0
    Level 6 (14,237 points)
    Mar 3, 2012 1:48 AM in response to MadMacs0

    Ok, I'll bite.  How could going to a web page create, say the environments.plist, or any of the other files for that matter?  Could you click on a recipe and some java(script) code download and save the files in the requisite places?  I've been assuming that the trojan was inserted when an fake installer was downloaded and run like the fake adobe plugin installer.

  • by X423424X,

    X423424X X423424X Mar 3, 2012 2:15 AM in response to MadMacs0
    Level 6 (14,237 points)
    Mar 3, 2012 2:15 AM in response to MadMacs0

    Never mind. It's getting late and I reread your post about the Java.

  • by WZZZ,

    WZZZ WZZZ Mar 3, 2012 9:07 AM in response to X423424X
    Level 6 (13,112 points)
    Mac OS X
    Mar 3, 2012 9:07 AM in response to X423424X

    X423424X wrote:

     

    FWIW, I am an advocate of using LS.  It is one of my "must haves" for my systems.  But having said that, if this trojan, when embedded in a browser, calls home via the browser, say using port 80, then of course LS won't detect it unless you block the port.  And you can't really do that since then you couldn't use the browser.

     

    Far from the best, since it wouldn't prevent the connection, but you could see if the browser/port 80 or anything else was connecting somewhere strange by looking at the LS Network Monitor.

  • by noondaywitch,

    noondaywitch noondaywitch Mar 3, 2012 10:04 AM in response to WZZZ
    Level 6 (8,147 points)
    Mar 3, 2012 10:04 AM in response to WZZZ

    Little Snitch does not have to allow all traffic on port 80 - or any other port.

    Go to the LS Rules and remove any references to allowing all traffic on port 80.

     

    Most of your sites will then prompt a LS dialogue; choose the most restrictive settings - e.g. "exywisey.com and port 80".

     

    If that trojan throws up a dialogue you can deny it and make a note of the address it was trying to access.

  • by WZZZ,

    WZZZ WZZZ Mar 3, 2012 10:40 AM in response to noondaywitch
    Level 6 (13,112 points)
    Mac OS X
    Mar 3, 2012 10:40 AM in response to noondaywitch

    True, but the point X4 was making was "...if this trojan, when embedded in a browser, calls home via the browser, say using port 80...."

     

    Of course, completely hypothetical.

  • by MadMacs0,

    MadMacs0 MadMacs0 Mar 3, 2012 11:25 AM in response to WZZZ
    Level 5 (4,791 points)
    Mar 3, 2012 11:25 AM in response to WZZZ

    WZZZ wrote:

     

    Of course, completely hypothetical.

    I'd call it more speculative than hypothetical. F-Secure pointed out that in previous versions of Flashback code was injected into Safari and Iomega has said

    Flashback.G injects code into web browsers and other applications that access a network...

     

    and later

    This malware patches web browsers and network applications essentially to search for user names and passwords. It looks for a number of domains – websites such as Google, Yahoo!, CNN; bank websites; PayPal; and many others. Presumably, the people behind this malware are looking for both user names and passwords that they can immediately exploit – such as for a bank website – as well as others that may be reused on different sites.

    So it's not a big leap to guess that the same code then uses port 80 and Twitter to send the results to the mother ship.

     

    I don't think I've mentioned it in this thread yet, but another infected user with backward engineering talents has said that the code is no longer injected into the application on the hard drive, but rather waits until it is launched into RAM, making it more difficult to detect and analyze.

  • by MadMacs0,

    MadMacs0 MadMacs0 Mar 3, 2012 11:32 AM in response to X423424X
    Level 5 (4,791 points)
    Mar 3, 2012 11:32 AM in response to X423424X

    X423424X wrote:

     

    Ok, I'll bite.  How could going to a web page create, say the environments.plist, or any of the other files for that matter?  Could you click on a recipe and some java(script) code download and save the files in the requisite places?

    Iomega has told me that it is not necessary to click on any javascript or other link. The simple act of opening the page in your browser will apparently run the "Downloader" applet if you have Java enabled in the browser. That, in turn, accesses the server where the rest of the code is downloaded, installed in appropriate places, etc. and then the original applet self-destructs.

first Previous Page 3 of 3