Bob Mayo

Q: Flashback: how to handle some Launch Agents Folder questions?

Two Flashback questions, followed by some background.

 

1) In cleaning up a Flashback infection, why would running the ls -lA ~/Library/LaunchAgents/  command in terminal, return the result "total 16", when there are only 2 items the LaunchAgents subfolder?  (I checked for invisible files in that folder -- there are none.)

 

2) Should I delete any of  plist files from the LaunchAgents folder, including the ones that appear to be for MobileMe synching and Safari bookmark synching?

 

 

Here's the background:

 

 

When I entered this into Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

 

I got this result:

/Users/Shared/.libgmalloc.dylib

 

When I entered this into Terminal:

 

grep -a -o '__ldpath__[ -~]*' /Users/Shared/.libgmalloc.dylib

 

I got this DOUBLE result:
__ldpath__/Users/username1/Library/Application Support/.WondershareDVDBackup.tmp
__ldpath__/Users/username1/Library/Application Support/.WondershareDVDBackup.tmp

 

(We've never used "Wondershare DVD Backup", by the way.)

 

When I entered this into Terminal:

ls -lA ~/Library/LaunchAgents/

 

I got this result for username1:

total 16
-rw-r--r--  1 username1  username1  581 Apr 30  2011 com.apple.MobileMeSyncClientAgent.plist
-rw-r--r--  1 username1  username1  813 Mar  1  2009 com.apple.SafariBookmarksSyncer.plist

 

When I entered this into Terminal:

 

defaults read ~/Library/LaunchAgents/com.apple.MobileMeSyncClientAgent.plist ProgramArguments

 

I got this result:
2012-04-07 19:40:25.306 defaults[1260:903]
The domain/default pair of (/Users/username1/Library/LaunchAgents/com.apple.MobileMeSyncClientAgent.plist, ProgramArguments) does not exist

 

... and the same sort of "does not exist" results when I tested SafariBookmarksSyncer the launch agents folder.

 

 

I got this result  (note high "total" number) for username2 -- this user account *did not* test positive for Flashback:

total 40
-rw-r--r--  1 username2  staff  619 Oct 18  2010 com.adobe.ARM.ad895013aeb33ea6e968d9fdc06c0eb42c7c2a5229d98d64ad002716.plist
-rw-r--r--  1 username2  staff  581 Mar 24 14:33 com.apple.MobileMeSyncClientAgent.plist
-rw-r--r--  1 username2  staff  815 Apr 19  2010 com.apple.SafariBookmarksSyncer.plist
-rw-r--r--  1 username2  staff  667 Jul 28  2011 com.macupdate.desktop5.scanner.plist
-rw-r--r--  1 username2  staff  615 Sep 13  2009 de.metaquark.appfresh.plist

 

(I have no idea what de.metaquark.appfresh would be.  I presume the long adobe plist is from an installation of Adobe 8.)

Posted on Apr 8, 2012 8:02 AM

Close

Q: Flashback: how to handle some Launch Agents Folder questions?

  • All replies
  • Helpful answers

  • by etresoft,

    etresoft etresoft Apr 8, 2012 8:28 AM in response to Bob Mayo
    Level 7 (29,051 points)
    Apr 8, 2012 8:28 AM in response to Bob Mayo

    You've definitely got the trojan all right.

     

    I wrote a user tip and checker/removal tool: https://discussions.apple.com/docs/DOC-3271

     

    It should clean things up without having to type any terminal commands. Try it out and let me know what happens. Rerun those terminal commands and verify if it actually cleans things up. I have only tested it on own demo trojan. I would like to know if it really works.

  • by Bob Mayo,

    Bob Mayo Bob Mayo Apr 8, 2012 10:30 AM in response to etresoft
    Level 1 (109 points)
    iCloud
    Apr 8, 2012 10:30 AM in response to etresoft

    Thanks, etresoft.  I've already done the removal of .libgmalloc.dylib and .WondershareDVDBackup.tmp , but am still wondering if I need to do anything wtih the plists in the LaunchAgents folder (and what that higher "total" number returned by ls -lA ~/Library/LaunchAgents/ means.  My interpretation is that there's nothing corrupted about those plists, but I want to be sure.  I already downloaded and run ClamXav, and it doesn't report any issues there.  I also wonder if any Applications were affected, because ClamXav scans only the home folder, not the entire drive.

     

    (I give you and others credit for working on and sharing automated tools for checking for and/or addressing effects of the malware.  I hope Apple builds something into a software update to address this.)

  • by FrenchToast,

    FrenchToast FrenchToast Apr 8, 2012 10:28 AM in response to Bob Mayo
    Level 3 (645 points)
    Apr 8, 2012 10:28 AM in response to Bob Mayo

    Looks like some serious marketing is already at work out there: http://www.macupdate.com/app/mac/42571/anti-flashback-trojan

  • by FrenchToast,Helpful

    FrenchToast FrenchToast Apr 8, 2012 10:30 AM in response to Bob Mayo
    Level 3 (645 points)
    Apr 8, 2012 10:30 AM in response to Bob Mayo

    As a side note, you can set ClamXav to scan your entire drive by selecting MacintoshHD as primary target. It's going to take a while, depending on the size of your drive, though.

     

    As for the plist files you mention, if they look legitimate, i.e. if they belong to legitimate applications, don't bother to delete them. You can, though: the applications in question will create new ones next time you run them.

  • by etresoft,Helpful

    etresoft etresoft Apr 8, 2012 10:37 AM in response to Bob Mayo
    Level 7 (29,051 points)
    Apr 8, 2012 10:37 AM in response to Bob Mayo

    You can open those files in a text editor like Text Wrangler. Typically the trojan software always starts with a "." character to it is hidden in the finder. If you have removed the software but not an associated LaunchAgent, you might have errors in your Console.app log.

  • by Bob Mayo,

    Bob Mayo Bob Mayo Apr 8, 2012 10:59 AM in response to etresoft
    Level 1 (109 points)
    iCloud
    Apr 8, 2012 10:59 AM in response to etresoft

    I'm wondering -- and I don't know if anyone has established this -- if it's possible the malware could have created only .libgmalloc.dylib and .WondershareDVDBackup.tmp on my computer and not suceeded in (or gotten around to) creating a LaunchAgent yet.  I used the Dr. Bott UUID checker, and it didn't show any past communication with the botnet server --- though I don't know that his database is comprehensive.

  • by fane_j,

    fane_j fane_j Apr 9, 2012 12:25 AM in response to Bob Mayo
    Level 4 (3,667 points)
    Apr 9, 2012 12:25 AM in response to Bob Mayo

    Bob Mayo wrote:

     

    if it's possible the malware could have created only .libgmalloc.dylib and .WondershareDVDBackup.tmp on my computer and not suceeded in (or gotten around to) creating a LaunchAgent yet.

    None of the posters who had the launch agent form had the environment.plist entry. Which means one of two things. Either, (a) they caught the malware in its early phase, in which the executable launched by the launch agent was attempting to communicate with its controller to download the malware payload; or, (b) the caught a different variant, one which no longer used a hidden shared library stored in </Users/Shared>.