Skip navigation

flashback virus

11516 Views 44 Replies Latest reply: Apr 15, 2012 4:01 AM by djdannyde RSS
  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 9, 2012 6:42 PM (in response to Dennis Langlois)

    I'll repeat my post yet again.  This time with the updated command set.

     

    -----------

     

    Here's what I am suggesting as a rudimentary test for (not remove) some of the known strains of the flashback trojans.  Open a terminal window and copy/paste each of the following lines hitting return after each one and note the results:

     

    defaults read ~/.MacOSX/environment

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

    defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

    ls -la ~/Library/LaunchAgents

    grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v "/Users/$USER/\.Trash"

     

    For the three defaults commands if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.

     

    The fourth command, ls, just lists the contents of your LaunchAgents, if any.  That's additional info to be used in conjunction with the last grep command.  If the grep displays any results then that too may indicate infection and again post its results.

     

    For removal, the current instructions are specified at F-Secure's Trojan-Downloader:OSX/Flashback.K.

  • sicjoy Calculating status...
    Currently Being Moderated
    Apr 9, 2012 6:57 PM (in response to X423424X)

    X4, thanks for continuing to post and provide help.

     

    Is this anything to be concerned about?

     

    "my"-MacBook:~ "name"$ grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v

    Usage: grep [OPTION]... PATTERN [FILE]...

    Try `grep --help' for more information.

    "my"-MacBook:~ "name"$

     

    Where "my" and "name" are in the code is my comuter's name.

     

    Thanks.

     

    S

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 9, 2012 7:10 PM (in response to sicjoy)

    Is this anything to be concerned about?

     

    "my"-MacBook:~ "name"$ grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v

    Usage: grep [OPTION]... PATTERN [FILE]...

    Try `grep --help' for more information.

    "my"-MacBook:~ "name"$

     

    It looks like didn't copy the entire command line. Hence the usage error.

     

    grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v "/Users/$USER/\.Trash"

     

    You show above nothing after the -v.  Each command is one line. It's this forum software that's wrapping the lines to fit in the allotted width.  For example tripple click the above grep and you should see the entire line selected even if it is wrapped.

     

     

    Where "my" and "name" are in the code is my comuter's name.


    That's defined by your Sharing system preferences.  If you change it there I don't think you will see that reflected in the current terminal prompt until you create a new terminal window.

  • sicjoy Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 9, 2012 7:13 PM (in response to X423424X)

    OK thanks. Please excuse me, as I am not trying to be difficult, but want to learn and make sure I am doing this right.

     

    Am I correct in that I am running the entire:grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v "/Users/$USER/\.Trash" in Terminal? Not just: grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v?

     

    I ran the entire command (grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v "/Users/$USER/\.Trash") and got nothing back except my maybook name and administrator name. Am I good?

     

    Thanks again.

    S

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 9, 2012 7:46 PM (in response to sicjoy)

    Looks ok.

  • sicjoy Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 9, 2012 7:49 PM (in response to X423424X)

    Thanks X4, wish I could give you points...you deserve 'em.

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 9, 2012 7:57 PM (in response to sicjoy)

    You're welcom.

  • WZZZ Level 6 Level 6 (11,880 points)
    Currently Being Moderated
    Apr 9, 2012 8:02 PM (in response to X423424X)

    I  couldn't understand why the CleanMyMac LaunchAgent contains /Users/USERNAME/.Trash. Thanks, I have no grep with any of that. (Sorry, I can never pass up a bad pun.)

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 9, 2012 8:44 PM (in response to WZZZ)

    CleanMyMac is one of those crazy apps that trys to be all things for all people, a cross between a tool like OnyX and so called uninstaller tools like AppCleaner, AppZapper, etc.  Since it can uninstall stuff and clean stuff up then presumably it needs to delete the stuff it finds.  I suppose it is tossing the stuff in the trash as opposed to directly deleting it.  So that may be the reason for the references to ~/.Trash in launch agent.  Why a launch agent?  Not sure.  Unless there is a reason for it I would think the app could have just as easily used a login item.

  • Dennis Langlois Calculating status...
    Currently Being Moderated
    Apr 10, 2012 4:29 AM (in response to X423424X)

    Thank you X4, you are great. Ran all the commands in teminal and everything looks good.

    Thank You again

    Dennis

  • jayakrishna Calculating status...
    Currently Being Moderated
    Apr 10, 2012 7:01 PM (in response to Donald2001)

    Hi Friends,

     

    This has been addressed by apple in the recent update released on April 6th.

     

    http://news.cnet.com/8301-27076_3-57410050-248/mac-flashback-malware-what-it-is- and-how-to-get-rid-of-it-faq/?tag=rb_content;main

     

    Follow the link's to see wether your system got attacked by malware.

     

    1) http://public.dev.drweb.com/april/

    2) http://news.drweb.com/show/?i=2341&lng=en&c=14

     

    Apply the below update from Apple:

     

    http://support.apple.com/kb/HT5228

     

    Or simply run Software Update.

  • nmed Calculating status...
    Currently Being Moderated
    Apr 11, 2012 2:37 PM (in response to X423424X)

    X4, these are my launch agents:

     

     

    drwxr-xr-x   6 myname  staff   204 30 Dec 17:51 .

    drwx------+ 40 myname staff  1360  1 Feb 18:56 ..

    -rw-r--r--   1 myname  staff   572 19 Feb  2011 com.apple.FTMonitor.plist

    -rw-r--r--   1 myname  staff   411 19 Feb  2011 com.apple.imagent.plist

    -rw-r--r--   1 myname staff   447 19 Feb  2011 com.apple.marcoagent.plist

    -rw-r--r--   1 myname  staff   805 30 Dec 17:51 com.google.keystone.agent.plist

     

    My grep line returns nothing.

     

    What do you think?

     

    Thanks very much!

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 11, 2012 6:30 PM (in response to nmed)

    My grep line returns nothing.

     

    What do you think?

     

    If the grep shows nothing it looks like you don't have that particular strain.  But you should also run the other commands for a quick check of the other strains (i.e., the defaults commands).

  • nmed Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 11, 2012 11:30 PM (in response to X423424X)

    I'd already done the first three commands, they were clear.

     

    Thanks again.

1 2 3 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.