Skip navigation

.rserv wants to connect to cuojshtbohnt.com

27348 Views 227 Replies Latest reply: Apr 12, 2012 8:53 PM by MadMacs0 RSS
  • fliang Calculating status...
    Currently Being Moderated
    Apr 5, 2012 2:20 PM (in response to chadonline)

    Just got hit with this today.

     

    Found ~/.rserv trying to make connections to various urls.

     

    Apparently launched by:

     

    feynmanliang@vlan409-128: ~/Library/LaunchAgents

    $ l                                                                                                                                                                  [17:19:17]

    total 40

    drwx------  12 feynmanliang staff  408 Apr  5 11:49 ./

    drwx------+ 58 feynmanliang staff 1972 Apr  5 13:16 ../

    -rw-r--r--   1 feynmanliang staff  497 Mar 30 19:38 com.adobe.reader.plist

    ...

     

     

    com.adobe.reader.plist in user launchagents directory.

  • humanmechanism Calculating status...
    Currently Being Moderated
    Apr 5, 2012 3:07 PM (in response to chadonline)

    Little Snitch: .null wants to connect to vxvhwcixcxqxd.com

     

    I have recieved this prompt as I am sure others have as well.  I do remember the onscreen window that

    F-Secure has in there detailed discription of the Flashback variant, while surfing the web, that prompted me to insert my password, I of course did not.  

     

    I would like to post the 4 steps that I have taken in terminal to remove the .null file as instructed by F-Secure and would appreciate any feedback.

     

    1. ls -lA ~/Library/LaunchAgents

     

    -rw-r--r--  1 "myname"  staff  484 28 Mar 22:39 null.plist

     

    2. defaults read ~/Library/LaunchAgents/null ProgramArguments

    (

        "/Users/"myname"/.null"

    )

     

    3. rm -R /Users/"myname"/.null

     

    4. delete null.plist

     

    I have run all the necessary steps that F-Secure has posted for manual removal of Flashback.K, I, C, B, and A.  I have only received error messages that F-Secure instructs is an indication that the system is already clean of the variant.

     

    Thanks to all in advance.

  • MadMacs0 Level 4 Level 4 (3,330 points)
    Currently Being Moderated
    Apr 5, 2012 4:44 PM (in response to WZZZ)

    WZZZ wrote:

     

    Mad, I've asked you this in the Leopard forum already

    Answered in that forum.

    If not, do you know -- or anyone else, maybe -- if Intego's VirusBarrier X6, the demo version, will scan properly for this? I know they are claiming the full version, at least, can.

    I do not. I seem to remember that there are limitations to some of the free / demo versions out there (like not getting timely updates) but I don't really know about VB X6. I have the full version (came with a bundle of software), but have not activated it yet.

  • R C-R Level 6 Level 6 (13,835 points)
    Currently Being Moderated
    Apr 5, 2012 9:18 PM (in response to WZZZ)

    WZZZ wrote:

     

    If not, do you know -- or anyone else, maybe -- if Intego's VirusBarrier X6, the demo version, will scan properly for this? I know they are claiming the full version, at least, can.

    If F-Secure's info is right, a scan may not be necessary since the trojan-downloader component of the recent variants self destructs if it detects /Applications/VirusBarrier X6.app.

     

    And FWIW, this April 3 Sophos blog post claims that Sophos security products (including the free one for Mac home users) has been detecting the components of the malware for some time.

  • MadMacs0 Level 4 Level 4 (3,330 points)
    Currently Being Moderated
    Apr 5, 2012 9:35 PM (in response to R C-R)

    R C-R wrote:

     

    WZZZ wrote:

     

    If not, do you know -- or anyone else, maybe -- if Intego's VirusBarrier X6, the demo version, will scan properly for this? I know they are claiming the full version, at least, can.

    If F-Secure's info is right, a scan may not be necessary since the trojan-downloader component of the recent variants self destructs if it detects /Applications/VirusBarrier X6.app.

    I understood WZZZ to be looking for a post infection scanner to check for the Trojan itself.

  • WZZZ Level 6 Level 6 (11,880 points)
    Currently Being Moderated
    Apr 5, 2012 9:41 PM (in response to MadMacs0)

    RC-R: just seconds before I saw your post, I saw that on the Sophos forum. Thanks. And, yes, MadMacs0 is right. A post-infection scanner is needed.

  • johnnyqq Calculating status...
    Currently Being Moderated
    Apr 5, 2012 10:13 PM (in response to chadonline)

    Well I have been reading many post for the last few days. And I strongly believe that the creators of this trojan have developed it in way that it morphs into different   .filenames (invisible) depending on what apps you have opened.

     

    I began to first suspect something strange when VirtualBox crashed my system (kernel Panic) on me several times over the weekend. Something it has never done in the past. Sometime later maybe later in the day I began to get  LittleSnitch warnings about a file  .mkeeper in my ~myuser directory  created April 1 2012.  I was suspicious about its creation date as I downloaded mackeeper several weeks ago from the developers site and installed it but had stop using it altogether. 

     

    Nonetheless this .mkeeper file connection warning kept coming up.  I did not authorize littlesnitch access to the cuojshtbohnt site and began  Googling.  Only found one or two pages mentioning but nothing conclusive. about the file .mkeeper. The only discussions I found were on .rserv.  Unlike today where more pages are surfacing.

     

    Well turns out this file was a flashback trojan and, though i didnt have any other files in my ~/Library/LaunchAgents/  or elsewhere as indicated by fsecure I dont think I was fully infected.  Perhaps because Littlesnitch prevented the connection.   Incidently I do have SKYPE installed but not MSOffice

     

    I tried opening the .mkeeper file a (a unix executable file) and found it must have been a binary file as there was little text I could really make out.  Well long story I downloaded an antivirus trial version and ran it on my system and it flagged the .mkeeper as a flashback trojan and also flagged two mackeeper files both .plist types if I can remember correctly something to the effect of zeobyte.plist and mackeeper.plst

     

    I believe I may have gotten it from an off-off the wall torrent site I may have visited which later attacked mackeeper app. So therefore I strongly suggest that you be cynical and dont allow yourself to believe that this trojan has one identity or goes by one name. My regret is that  I trashed the files. i should have kept the files to have them dissected.

     

    Well hope this can help shed some light. I have been a mac user for over 25 years and never had antivirus or any virus issues on ny of my macs. I am just upset that APPLE has taken a leisurely approach at this, especially since this threat was first reported  back in February. 

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 5, 2012 10:39 PM (in response to WZZZ)

    WZZZ wrote:

     

    RC-R: just seconds before I saw your post, I saw that on the Sophos forum. Thanks. And, yes, MadMacs0 is right. A post-infection scanner is needed.

     

    Here's what I've been currently posting when I reply to one of those "have I been infected" threads:

    Here's what I am suggesting as a rudimentary test for some of the known strains of the flashback trojans.  Open a terminal window and copy/paste each of the following lines hitting return after each one and note the results:

     

    defaults read ~/.MacOSX/environment

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

    ls -la ~/Library/LaunchAgents

    grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*

     

    For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.

     

    The third command, ls, just lists the contents of your LaunchAgents, if any.  That's additional info to be used in conjunction with the last grep command.  If the grep shows any results then that too may indicate infection and again post its results.

     

    I don't have confidence in the safari test.  But that's the one floating around so I threw it in.

  • WZZZ Level 6 Level 6 (11,880 points)
    Currently Being Moderated
    Apr 6, 2012 5:01 AM (in response to X423424X)

    Thanks, I've given him the latest, grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* to try. (That's meant to show any dot files in there?) He's run all the others by now, including the one for Firefox and, since I think he sometimes uses Chrome, that as well.

  • Marco g Calculating status...
    Currently Being Moderated
    Apr 6, 2012 5:15 AM (in response to X423424X)

    Little Snitch informed me that ~/.flserv want's to connect to vxvhwcixcxqxd.com and krymbrjasnof.com.

     

    ~/.flserv is started by ~/Library/LaunchAgents/com.adobe.flp.plist on my mac.

     

    grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* shows the following result:

    /Users/marco/Library/LaunchAgents/com.adobe.flp.plist:<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Label</key><string>com.adobe.flp</string><key>ProgramA rguments</key><array><string>/Users/marco/.flserv</string></array><key>RunAtLoad </key><true/><key>StartInterval</key><integer>4212</integer><key>StandardErrorPa th</key><string>/dev/null</string><key>StandardOutPath</key><string>/dev/null</s tring></dict></plist>

     

    I'm not shure if i allowed any suspicious connection in the last days, nor do i remember providing my admin password to any suspicious installer - but the timestamp shows that it's been there since March, 30.

     

    Both F-Secure tests are ambiguous in my opinion. Since steps 3 and 8 result in "...does not exist" inexperienced users might think they are not infected.

     

    I deleted both ~/Library/LaunchAgents/com.adobe.flp.plist and ~/.flserv

     

    Hopefully this is enough.

  • Twist1 Level 1 Level 1 (5 points)
    Currently Being Moderated
    Apr 6, 2012 9:40 AM (in response to chadonline)

    Thanks for the advice MadMacs0. I was definitely infected but the only extra file I found was titled null.plist located in my LaunchAgents folder. I used Time Machine to restore my system to before the virus appeared. This was actually a perfect solution as Microsoft Office had not been functioning since one of the last security updates (I assume it was the update due to the timing) and is now back to normal.

  • lytic Calculating status...
    Currently Being Moderated
    Apr 6, 2012 12:08 PM (in response to chadonline)

    Dear Mac OS user,

    Check now wether your Mac is infected by Backdoor.Flashback.39!

    Submit your Mac UUID to this Express-check form.

    Doctor Web will check if there was a connection from your computer to the botnet control server.

     

    http://public.dev.drweb.com/april/

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 6, 2012 12:22 PM (in response to Marco g)

    Marco g wrote:

     

    I deleted both ~/Library/LaunchAgents/com.adobe.flp.plist and ~/.flserv

     

    Hopefully this is enough.

     

    I hope it is.  But this identical thing is going on in another thread but there the name is .reserv instead of .flserv.  I posted instructions on removal which are of course delete both those files.  But I also requested there to do one check on the dot file just to see if it is referencing other stuff.  Based on what f-secure has been doing with previous strains that would translate here to:

     

    grep -a -o '__ldpath__[ -~]*' ~/.flserv

     

    Since I don't have these files I'm just curious to see if the grep yields anything interesting, or anything at all for that matter.

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 6, 2012 12:29 PM (in response to WZZZ)

    WZZZ wrote:

     

    Thanks, I've given him the latest, grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* to try. (That's meant to show any dot files in there?)

     

    It's meant to show any launchagent that contains the string "/Users/USERNAME/.filename" in the launchagents, not all dot filenames.  Initially I was more general in the search because I didn't want to restrict it to just dot filenames.  But that was too general since it would find every launchagent that referenced the user's account.  So I changed it to the current search.

     

    If I get obsessive about this even the current grep is "perfect".  A user in the other thread uses CleanMyMac and its launchagent references /Users/USERNAME/.Trash.  So were do I draw the line?

  • Marco g Level 1 Level 1 (5 points)
    Currently Being Moderated
    Apr 6, 2012 2:31 PM (in response to X423424X)

    Hi X423424X, thanks for the advice. Since i already deleted ~/.flserv its hard to tell. I recovered it from my backup to run grep -a -o '__ldpath__[ -~]*' ~/.flserv, but there are no results.

     

    However, if i view ~/.flserv, there are many references to other files.

     

    If anybody is interested, i renamed it to "flserv" uploaded it to this location: https://www.yousendit.com/download/M3BubUpjcklsUi9MYnNUQw

1 ... 10 11 12 13 14 ... 16 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (3)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.