Apple Event: May 7th at 7 am PT

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Level 1

1 points

TENCENT QQ Trojan on Mac

Hi,

After researching on Google, my friend and I have determined that I have the Tencent QQ trojan. I'm not surprised that its a QQ trojan because I use QQ (an instant messenger service in China). Apparently, the company openly recognizes that they put malware on your computer, but I never investigated it, never knew it, and assumed it could never happen on a Mac. My situation now is that I have this trojan (which exists on a Mac, according to several pages I found on Google) and I don't know what to do. Right now, I'm running ClamXAv to see what it finds. MacScan found nothing. Any help would be appreciated. Thanks.

MacBook Pro, Mac OS X (10.5.2)

Posted on Mar 16, 2008 9:41 PM

38 replies

BillA1016 Author

Level 1

1 points

Mar 18, 2008 7:20 AM in response to gumsie

I did not do a clean install. I followed your advice by zeroing my hard drive. Now things seem to be fine. It is an unfortunate result for a trojan since I lost just about everything except documents and music which I had backed, but I guess I can look at it as I'm starting fresh with a new computer. If anyone finds any other information about this trojan, please post. I'm the only one who got it for the Mac, but the trojan is on almost all of our study abroad students' PCs.

BillA1016 Author

Level 1

1 points

Mar 18, 2008 7:33 AM in response to BillA1016

Sorry- I am re-opening the thread. Although I zeroed the drive, the trojan is still very much present and invasive. I did a CLEAN install of Mac OS X. What could be wrong??

gumsie

Level 4

2,179 points

Mar 18, 2008 7:41 AM in response to BillA1016

If you zeroed the drive that was a clean install. If the trojan is still there then it suggests that you carried it over from a file of some sort that you had on the old system. Maybe you copied your photos and it was embedded in one of those or something? The chances of it being on the install DVD are as good as zero.
I don't see how else it would get there.
If you ever do it again. Do not set up the internet connection until you have tested your system and carried out a good search. If its there BEFORE you've connected to the net then you can ignore that issue.

BillA1016 Author

Level 1

1 points

Mar 18, 2008 7:45 AM in response to gumsie

It only happens online though. It embeds itself into the site. I brought over VERY VERY little, and inspected it carefully. Literally a handful of documents, and then I used SENUTI for my music, so I didn't actually bring the files over. The only suspicious thing was that there was a document in my documents that did not look familiar. It was HTML and brought me to a screensaver download site. Could this have something to do with it?

The hatter

Level 9

60,990 points

Mar 18, 2008 7:48 AM in response to BillA1016

It has attached itself to your boot blocks (you have to alter the partition table options to MRB, apply, then change to GUID and apply; or, it has invaded the EFI or Open Firmware ROM 🙂

I'm kidding, I hope you realize. But there was an instance where the US Dept of Commerce felt that their systems had been compromised and the motherboard and system were felt to be beyond repair. When delegates visit overseas, they destroy their electronic devices before they leave.

gumsie

Level 4

2,179 points

Mar 18, 2008 7:49 AM in response to BillA1016

It sounds like you have it right there. If not you need to do things in stages after the install. Bring things across in stages. You may also need to avoid certain websites/servers. That Senuti I know nothing about so cannot advise on that point.

BillA1016 Author

Level 1

1 points

Mar 18, 2008 7:54 AM in response to gumsie

Senuti is the reverse of iTunes (hence the name, iTunes backwards). It ***** the music off your iPod and puts them in iTunes. I mention this to affirm that it did not come with my music. I haven't updated my iPod in awhile and it was well before this problem started. Also, my last document back-up was before the problem started.

Mar 18, 2008 7:58 AM in response to BillA1016

Every single Google reference I can find indicates that Tencent QQ is Windows Malware. I can find nothing Mac related at all.

Which leads me to ask... in your original post you say: "my friend and I have determined that I have the Tencent QQ trojan".

How did you determine this? What are the exact symptoms?

You say in your most recent message that you still have the trojan, so I would repeat the questions - How did you determine this? What are the exact symptoms?

My belief is that your diagnosis is wrong (unless you are running Windows under BootCamp etc.).

By telling us what is wrong with the machine, someone may be able to provide an alternative diagnosis/fix.

BillA1016 Author

Level 1

1 points

Mar 18, 2008 8:07 AM in response to Chris Noble

Sorry for being vague. The exact symptoms are: the machine was running fine until one day I started receiving QQ ads. They are very invasive and could pop up on any website. If they do embed themselves, the website usually stops functioning and you have to quit Safari and start again. As of before my re-install, this was happening on all 3 of my browsers (Safari, Firefox, Camino). Sometimes, sites that I know exist do not load. I need to go back to the site before it, empty the cache, and try again. This usually works.

Another detail that may be useful. Our dorm network (in China) on Thursday began having major problems. Our internet connection became unstable and is still not fixed. Everyone that I've talked to (but all PC users) complained about the start of this problem all on Thursday or Friday. We've been promised by the school that within a week, the network will be fixed and is having major problems right now. Could this be a network issue and something that will go away when the network is fixed? I assumed it was all a coincidence, but maybe not... I only have one other Mac-using friend and he hasn't complained about anything like this yet. Maybe it's not me...

Thanks again for all your support and attention.

gumsie

Level 4

2,179 points

Mar 18, 2008 8:11 AM in response to gumsie

Sounds like it could be on their servers.

BillA1016 Author

Level 1

1 points

Mar 18, 2008 8:13 AM in response to gumsie

That would be comforting, but why aren't the other Mac users affected? I just talked to one more who says he doesn't have it. At the time, I was a Tencent QQ user and used the instant messenger regularly, though, and they do not. The PC users who have the problem were not QQ users.

gumsie

Level 4

2,179 points

Mar 18, 2008 8:16 AM in response to BillA1016

Possibly they have their Macs set up differently. Different firewall setting and things like that. Maybe it needs to use a certain app as a gateway and they are not running it.
I'm guessing at this point.

BillA1016 Author

Level 1

1 points

Mar 18, 2008 8:18 AM in response to gumsie

Thanks so much.

It's very late here in China and I need to go to bed. I will check back tomorrow. Any additional advice or information would be greatly appreciated.

Thanks so much again. I'm glad that the Mac community works so well together (especially considering the "Geniuses" would charge us an arm and a leg per call to guess, too).

Klaus1

Level 9

52,749 points

Mar 18, 2008 8:26 AM in response to BillA1016

It is just possible that what you saw was the result of Google News being blocked by China:

Beijing appears to have taken a page out of Myanmar's playbook by blocking some internet access amid rioting in Tibet that has already seen as many as 80 people killed, according to the Tibetan government in exile.

China has blocked access to Google News and YouTube in an apparent attempt to stop the spread of video footage related to the rioting going on in several cities in Tibet, including the capital Lhasa. Demonstrations in the city started on 10 March, a day commemorating the anniversary of a 1959 uprising against Chinese rule after which the spiritual leader of the country, the Dalai Lama, fled to India.

http://www.macworld.co.uk/news/index.cfm?email&NewsID=20748

Mar 18, 2008 4:15 PM in response to BillA1016

Interesting stuff. You say you have a Mac using friend who hasn't reported problems - to be clear is he on the same dorm network?

When you re-installed did you actually install any QQ software? It is possible that there was some malware with it, or was it a clean Apple install with no additional software.

If it is a clean install and your Mac-using friend isn't on the dorm network then my suspicion would be that this is not a problem with your machine at all, but rather a problem at the network level. I wonder if Web traffic is being intercepted at a proxy, which is then inserting the adverts.

Is everyone on the dorm network suffering the same ad-pop-up problem? Does anyone have a laptop? It would be interesting to take your machine or another machine suffering the problems to an entirely different network and see if the problems disappear.

TENCENT QQ Trojan on Mac