Skip navigation

how to find if you are affected by a malware program?

2232 Views 24 Replies Latest reply: Apr 8, 2012 12:17 PM by nerowolfe RSS
1 2 Previous Next
madjikphotos Calculating status...
Currently Being Moderated
Apr 5, 2012 7:44 PM

How to find out if you are affected by this new malware virus?

Mac OS X (10.7.3)
  • leroydouglas Level 6 Level 6 (13,330 points)

    You can  see if your machine is affected by opening up the Terminal.app and copy & paste:

     

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment
    

     

    If you get the message “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”,

     

     

    you must then copy & paste:

     

    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
    

     

    If you get the message :

    ”The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”,

     

    Basically, the “does not exist” message means you’re clean, and Mac is safe.

     

    If you see anything other than those messages, you can check out F-Secure’s guide to removing the Flashback trojan.

    MacBook Pro, Mac OS X (10.7.3), 2.4GHz IntelCorei5 320GB HD 8GB RAM
  • flac124 Calculating status...

    When I run the Terminal command lines I come out clean.

     

    However when I run ClamXav it's showing that I have a 'OSX.Flashback-8' Infection.

     

    What should I do?

     

  • Topher Kessler Level 6 Level 6 (9,305 points)

    Does it say what files are part of the infection? If so, then what are they?

     

    This variant of the malware uses a file called .libgmalloc.dylib that's in the /Users/Shared/ directory. You can remove this by opening the Terminal (in the /Applications/Utilities/ folder) and running the following command (provide your password when prompted):

     

    sudo rm /Users/Shared/.libgmalloc.dylib

  • flac124 Level 1 Level 1 (0 points)

    Other then noting it as '.rserv', no it didn't detail any files. ClamXav dedected it as soon as I began the scan.

     

    Something called .rserv wanted to connect to my mac a few days ago which I denied via Little Snitch. I suspect this is the source of my issue.

     

    I just installed Apple's 2nd 'Java for OS X 2012-002' update. Restarted and ran Terminal and have scanned twice with ClamXav and everything came back clean.

     

    I also don't see any .libgmalloc.dylib in the /Users/Shared/ directory (showing hidden files).

     

    Am I in the clear now? Given what I've read on this issue, I plan on changing all my passwords regardless.

     

     

     


  • Topher Kessler Level 6 Level 6 (9,305 points)

    It sounds like you are in the clear. Do you have ClamXav set to remove, quarantine, or otherwise automatically handle malicious files?

  • X423424X Level 6 Level 6 (14,190 points)

    flac124 wrote:

     

    Other then noting it as '.rserv', no it didn't detail any files. ClamXav dedected it as soon as I began the scan.

     

    If Little Snitch (or ClamXav) is detecting this then you have another variant of the trojan.  I don't know why this is being ignored by the various articles on the flashback trojans (ClamXav detecting is a surprise to me).  Maybe because it is the newest of the bunch and possibly done by another group distinct from the previous flashback trojans.  Unlike the previous flashback strains this one is rather brain dead.  It makes no attempt to detect if tools like Little Snitch are installed (which is why LS detects it).  It installs a user LaunchAgent to spawn the code that LS is detecting (.rserv in this case but that is only one of many names it may use).

     

    For the sake of completeness below is what I am suggesting as a rudimentary test for some of the known strains of the flashback trojans including this new one.  Open a terminal window and copy/paste each of the following lines hitting return after each one and note the results:

     

    defaults read ~/.MacOSX/environment

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

    ls -la ~/Library/LaunchAgents

    grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*

     

    For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.

     

    The third and fourth commands are for the newer strain.  The third command, ls, just lists the contents of your LaunchAgents, if any.  That's additional info to be used in conjunction with the last grep command.  If the grep shows any results then that too may indicate infection and again post its results.  It should show the pathname to the spawned code (probably /Users/YOURACCOUNT/.rserv in this case).

     

    ----

     

    Here's the ever growing thread where this new variant was first discussed.

     

    .rserv wants to connect to cuojshtbohnt.com

  • Topher Kessler Level 6 Level 6 (9,305 points)

    The .rserv file connecing "to" your mac doesnt make much sense, but if it is on your mac and trying to connect to remote servers then that is of concern. A number of people are finding it to be a potentially malicious program, and as X423424X suggested you should run the Terminal commands he mentioned to see what the output is (and continue to block the connection efforts).

  • flac124 Level 1 Level 1 (0 points)

    The first two command lines came back 'does not exist'.

     

    The last two resulted in the following:

     

     

     

    Josephs-MacBook-Pro:~ flac124$ ls -la ~/Library/LaunchAgents

    total 64

    drwx------  10 flac124  staff   340 Mar 31 16:28 .

    drwx------@ 52 flac124  staff  1768 Jan 28 22:47 ..

    -rw-r--r--   1 flac124  staff   697 Nov 13 20:15 com.adobe.AAM.Updater-1.0.plist

    -rw-r--r--@  1 flac124  staff   492 Mar 31 16:28 com.adobe.reader.plist

    -rw-r--r--   1 flac124  staff   618 Jan 28 22:48 com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.81A53C77-3978-4E1B-A73F-67 3C71CF87C1.plist

    -rw-r--r--   1 flac124  staff   892 Nov 13 16:30 com.apple.CSConfigDotMacCert-flac124@me.com-SharedServices.Agent.plist

    -rw-r--r--   1 flac124  staff   544 Jan  5 21:54 com.macpaw.CleanMyMac.helperTool.plist

    -rw-r--r--   1 flac124  staff   554 Jan  5 21:54 com.macpaw.CleanMyMac.trashSizeWatcher.plist

    -rw-r--r--   1 flac124  staff   599 Jan  5 21:54 com.macpaw.CleanMyMac.volumeWatcher.plist

    -rw-r--r--@  1 flac124  staff   544 Mar 25 23:51 ws.agile.1PasswordAgent.plist

    Josephs-MacBook-Pro:~ flac124$

    Josephs-MacBook-Pro:~ flac124$ grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*/Users/flac124/Library/LaunchAgents/com.adobe.reader.pl ist:<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Label</key><string>com.adobe.reader</string><key>Progr amArguments</key><array><string>/Users/flac124/.rserv</string></array><key>RunAt Load</key><true/><key>StartInterval</key><integer>4212</integer><key>StandardErr orPath</key><string>/dev/null</string><key>StandardOutPath</key><string>/dev/nul l</string></dict></plist>

    /Users/flac124/Library/LaunchAgents/com.macpaw.CleanMyMac.helperTool.plist:    <string>/Users/flac124/.Trash</string>

    Josephs-MacBook-Pro:~ flac124$

    Josephs-MacBook-Pro:~ flac124$

  • nerowolfe Level 6 Level 6 (13,070 points)
  • X423424X Level 6 Level 6 (14,190 points)

    This is not flashback.K.  Appararently this one hasn't been named yet or I haven't spotted f-secure mentioning it yet.

     

    I give some instructions to remove the known stuff below.  But since I don't have a copy of .reserv I don't know if any more needs to be removed because I don't know what .reserv is referencing if anything.  Thus the deletes may cut the head of the beast but it is possible something remaining might still be alive.  To aid with that before removing the obvious files please do me a favor and do the (copy/paste) the following in terminal and post the results (if any):

     

    grep -a -o '__ldpath__[ -~]*' ~/.rserv

     

    Thanks in advance.

     

    To delete the obvious files, in terminal, copy/paste (do not type) the following line:

     

    rm -rf ~/.rserv ~/Library/LaunchAgents/com.adobe.reader.plist

     

    That will remove the .rserv and launchagent.  Then log out and log back in because the com.adobe.reader.plist is on a 70 minute cycle (that's the 4212 you see in there).  Logging out and logging in will cause the launchagents to reload and now com.adobe.reader.plist will no longer be active.

  • etresoft Level 7 Level 7 (23,905 points)

    madjikphotos wrote:

     

    How to find out if you are affected by this new malware virus?

    Go to: http://www.java.com/en/download/testjava.jsp

     

    If it says:

    Mac Users: Choose the Software Update item on the Apple menu to check that you have the most up-to-date version of Java on your Mac.

     

    then you don't even have Java installed and you are fine. Don't worry about it. If you ever do need Java in the future (hopefully never), you will get the latest version at that time.

  • Marco g Calculating status...

    I posted this in another threat, if anybody is interested:

     

    Little Snitch informed me that ~/.flserv want's to connect to vxvhwcixcxqxd.com and krymbrjasnof.com.

     

    ~/.flserv is started by ~/Library/LaunchAgents/com.adobe.flp.plist on my mac.

     

    grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* shows the following result:

    /Users/marco/Library/LaunchAgents/com.adobe.flp.plist:<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Label</key><string>com.adobe.flp</string><key>ProgramA rguments</key><array><string>/Users/marco/.flserv</string></array><key>RunAtLoa d </key><true/><key>StartInterval</key><integer>4212</integer><key>StandardErrorP a th</key><string>/dev/null</string><key>StandardOutPath</key><string>/dev/null</ s tring></dict></plist>

     

    I'm not shure if i allowed any suspicious connection in the last days, nor do i remember providing my admin password to any suspicious installer - but the timestamp shows that it's been there since March, 30.

     

    Both F-Secure tests are ambiguous in my opinion. Since steps 3 and 8 result in "...does not exist" inexperienced users might think they are not infected.

     

    I deleted both ~/Library/LaunchAgents/com.adobe.flp.plist and ~/.flserv

     

    Hopefully this is enough.

  • etresoft Level 7 Level 7 (23,905 points)

    Marco g wrote:

     

    I posted this in another threat, if anybody is interested:

    Another threat? A little Freudian slip there, eh?

     

    Little Snitch informed me that ~/.flserv want's to connect to vxvhwcixcxqxd.com and krymbrjasnof.com.

    Excellent program that one.

     

    I deleted both ~/Library/LaunchAgents/com.adobe.flp.plist and ~/.flserv

    Also delete any environment file with:

    rm ~/.MacOSX/environment.plist

     

    Hopefully this is enough.

    Log out and log back in.

  • stevejobsfan0123 Level 7 Level 7 (30,500 points)

    I actually heard that the trojan will check for programs like Little Snitch, and delete itself if any of these are found to prevent it from being detected (I think I read that on Cnet). True?

1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.