12 Replies Latest reply: Oct 10, 2012 11:26 AM by dmdimon
ABuck Level 1 Level 1 (0 points)

First off, I am a new Mac user, so bear with me. I opened Disk Utility and noticed that a seemingly strange file was showing up. Underneath the name of my hard drive and SuperDrive is "decryptedFile.dmg" and underneath that on a sub-level is "Flash Player." I researched online and found that "decryptedFile.dmg" is a sign of the Flashback trojan, but I've also read that it is a harmless 'leftover' from installing Flash Player. I bought my iMac in July of this year. Can someone please calm my nerves and confirm what this file is and does? Here is a screenshot:

 


iMac
  • 1. Re: What is decryptedFile.dmg?
    BDAqua Level 10 Level 10 (116,480 points)

    Hi ABuck, and a warm welcome to the forums & Macdom!

     

     

    Your pic doesn't show, draging & dropping on this forum looks like it woirks until you submit, you have to use the Camera icon in a reply to actually upload it.

     

    Some info on that Trojan...

     

    Disable Java in your Browser settings, not JavaScript.

     

    http://support.apple.com/kb/HT5241?viewlocale=en_US

    http://support.google.com/chrome/bin/answer.py?hl=en-GB&answer=142064

    http://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets

     

    Flashback - Detect and remove the uprising Mac OS X Trojan...

     

    http://www.mac-and-i.net/2012/04/flashback-detect-and-remove-uprising.html

     

    In order to avoid detection, the installer will first look for the presence of some antivirus tools and other utilities that might be present on a power user's system, which according to F-Secure include the following:

     

    /Library/Little Snitch

    /Developer/Applications/Xcode.app/Contents/MacOS/Xcode

    /Applications/VirusBarrier X6.app

    /Applications/iAntiVirus/iAntiVirus.app

    /Applications/avast!.app

    /Applications/ClamXav.app

    /Applications/HTTPScoop.app

    /Applications/Packet Peeper.app

     

    If these tools are found, then the malware deletes itself in an attempt to prevent detection by those who have the means and capability to do so. Many malware programs use this behavior, as was seen in others such as the Tsunami malware bot.

     

    http://reviews.cnet.com/8301-13727_7-57410096-263/how-to-remove-the-flashback-ma lware-from-os-x/

     

    http://x704.net/bbs/viewtopic.php?f=8&t=5844&p=70660#p70660

     

    The most current flashback removal instructions are F-Secure's Trojan-Downloader:OSX/Flashback.K.

     

    https://www.securelist.com/en/blog/208193454/Flashfake_Removal_Tool_and_online_c hecking_site

     

    More bad news...

     

    https://www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Explo its_Targeted_Attacks_and_Possible_APT_link

     

    Crisis OS X Trojan is an effective spy tool…

     

    http://www.net-security.org/malware_news.php?id=2200

     

    Removal for 10.5...

     

    http://support.apple.com/kb/DL1534

     

     

    Check now whether your Mac is infected by Backdoor.Flashback.39!

     

    http://public.dev.drweb.com/april/

  • 2. Re: What is decryptedFile.dmg?
    MadMacs0 Level 4 Level 4 (3,735 points)

    You haven't filled out your profile yet, so I don't know a lot about your setup. Since you are posting to the iMac (Intel) forum, I know that much, but what OS X are you running. It makes a big difference on how we approach this.

    ABuck wrote:

     

    First off, I am a new Mac user, so bear with me. I opened Disk Utility and noticed that a seemingly strange file was showing up. Underneath the name of my hard drive and SuperDrive is "decryptedFile.dmg" and underneath that on a sub-level is "Flash Player." I researched online and found that "decryptedFile.dmg" is a sign of the Flashback trojan, but I've also read that it is a harmless 'leftover' from installing Flash Player.

    Not necessarily. If it's actually still on your hard drive then it is capable of installing/reinstalling one of the older variants of Flashback. It should have been downloaded to a temp area which is normally emptied of everything on reboot, but it sounds to me like something may have gone wrong with that.

     

    Disk Utility has a habit of remembering files that it has mounted in the past and displaying them in an unmounted state. If you highlight the .dmg it should tell you next to "Write Status:" if it's not mounted. Since you say you see "Flash Player" underneath, it sounds like it's mounted and the Trojan is ready for installation.

    I bought my iMac in July of this year.

    New or used? As far as I know that variant of Flashback has not been seen in the wild since late last year. If you bought it used there is no telling what is there and you should quickly back up any user files you have, erase the drive and install the OS from the original disks.

     

    Past my bed time, so I'll have to pick this back up in the AM.

  • 3. Re: What is decryptedFile.dmg?
    ABuck Level 1 Level 1 (0 points)

    I bought the computer new from the Apple Online Store. At that time, the operating system was Lion, but I did upgrade to Mountain Lion. It's worth noting that since posting my question, I ran the Flashback detection tool from F-Secure and a tool from http://mashable.com/2012/04/05/mac-flashback-trojan-check/. Both came up clean. I restarted my computer only to find that the "decryptedFile.dmg" and "Flash Player" had disappeared.

  • 4. Re: What is decryptedFile.dmg?
    janetfrommountainview Level 1 Level 1 (0 points)

    Disregard

  • 5. Re: What is decryptedFile.dmg?
    MadMacs0 Level 4 Level 4 (3,735 points)

    ABuck wrote:

     

    since posting my question, I ran the Flashback detection tool from F-Secure and a tool fromhttp://mashable.com/2012/04/05/mac-flashback-trojan-check/. Both came up clean.

    That's good news, as it means the Flashback Trojan was not installed. I know for a fact that the F-Secure tool does not check for the presence of the Flashback download/installer and I'm currently looking into the mashable script to see if it does. The reason for that is as I said before, that file is normally destroyed during the installation process or upon reboot and as you said is technically not a threat in and of itself.

     

    I recommend you download Find Any File and search for "decryptedFile.dmg" (hold the option key down when clicking the "Find" button and supply your admin password to search everywhere on your hard drive). If you find it come back here and I'll make arrangements to have it tested.

    I restarted my computer only to find that the "decryptedFile.dmg" and "Flash Player" had disappeared.

    Restarting may well have erased it if it was, in fact, a temp file. Could be something new but I did think of another possibility.

     

    Effective with the latest versions of Flash, users have the option of allowing Flash Player to update itself in the background. That is done by selecting that option in the Flash pane of System Preferences. If you have done that then it's possible you happened to observe that process when you opened Disk Utility. I find it hard to believe that Adobe would have picked that name for the .dmg file given it's history, but currently have no way of checking it out.

     

    I finished evaluating those two mashable scripts and they only check for a few variants of Flashback with the following terminal commands:

    do shell script "defaults read /Applications/Safari.app/Contents/Info LSEnvironment"

    do shell script "defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES"

    Not enough to find the file you saw.

  • 6. Re: What is decryptedFile.dmg?
    ABuck Level 1 Level 1 (0 points)

    Considering that I purchased my new iMac in July of this year and that the Flashback Trojan was widely made public in April, don't you think that my computer should have had the latest security updates that fixed the vulnerability associated with the Flashback Trojan? After reading other support threads, I'm leaning towards the file simply being tied to the Adobe Flash Player Updater and not the trojan. I'm just paranoid when it comes to not knowing what's on my computer.

  • 7. Re: What is decryptedFile.dmg?
    MadMacs0 Level 4 Level 4 (3,735 points)

    ABuck wrote:

     

    Considering that I purchased my new iMac in July of this year and that the Flashback Trojan was widely made public in April, don't you think that my computer should have had the latest security updates that fixed the vulnerability associated with the Flashback Trojan?

    As I mentioned before, the use of the "decryptedFile.dmg" was well know in October of 2011 and wasn't even in part of the Java installer in April.

     

    I'm thoroughly familiar with all the signatures in use by Apple's XProtect system and don't believe that any of them protect against that particular file, although I would have to obtain a sample of it to be certain.

    Again, I'm primarily concerned that this could be something new.After reading other support threads, I'm leaning towards the file simply being tied to the Adobe Flash Player Updater and not the trojan. I'm just paranoid when it comes to not knowing what's on my computer.

    And to some extent, you should be. I have to admit at this point I would be.

  • 8. Re: What is decryptedFile.dmg?
    ABuck Level 1 Level 1 (0 points)

    I don't know if this is particularly relevant, but I found a screenshot that matches what I saw prior to the restart:

     

    DiskUtility.jpg

    This user had the same problem: https://discussions.apple.com/message/19016138#19016138

  • 9. Re: What is decryptedFile.dmg?
    MadMacs0 Level 4 Level 4 (3,735 points)

    I see that Adobe updated Flash Player to v11.3.300.269 on or about Aug 2nd, so the timing would be right for an update.

     

    Do you have auto updates enabled?

     

    Another thing you can do is inspect the install log to see what files were installed where and when.

     

    Launch the Console app by typing Command-Space to bring up the Spotlight search box and typing the first few letters of console then hit return when it shows up.

     

    Under "LOG FILES" (make sure the disclosure triangles point down) and "/var/log" look for "install.log". In the "String Matching" box type "flash" without quotes. If you don't find it there look in one of the older "install.log.n.bz2" files where n is 0-5.

  • 10. Re: What is decryptedFile.dmg?
    dmdimon Level 3 Level 3 (840 points)

    it is virus. Flashback to be exact. Hope all of you still reading this.

     

    This is new Trojan Horse called Flashback. Last night my computer was acting up so I ran Disk First Aid, only to find that there was a strange mounted item that I did not have mounted - decryptedFile.dmg with the Adobe Flash Player installer. This is not really Adobe Flash Player Installer but a cleverly disguised virus.

    http://www.toolfarm.com/blog/entry/mac_users_beware_flashback_osx_trojan_600000_ macs_are_infected

     

    Free Removal Tool

    http://www.f-secure.com/weblog/archives/00002346.html

  • 11. Re: What is decryptedFile.dmg?
    MadMacs0 Level 4 Level 4 (3,735 points)

    dmdimon wrote:

     

    it is virus. Flashback to be exact. Hope all of you still reading this.

    No! As the article clearly states, it's a Trojan.  Note that the article you site was written back in April and was true at the time. This incident happened in August, long after the Flashback site had shut down.

  • 12. Re: What is decryptedFile.dmg?
    dmdimon Level 3 Level 3 (840 points)

    https://discussions.apple.com/message/19969738#19969738

    the Flashback site had shut down.

    really?

    http://www.macnn.com/articles/12/04/10/company.not.communicating.with.security.f irms/

     

    shutting down a single domain is useless, since there are "dozens" of domains currently running the botnet