After researching on Google, my friend and I have determined that I have the Tencent QQ trojan. I'm not surprised that its a QQ trojan because I use QQ (an instant messenger service in China). Apparently, the company openly recognizes that they put malware on your computer, but I never investigated it, never knew it, and assumed it could never happen on a Mac. My situation now is that I have this trojan (which exists on a Mac, according to several pages I found on Google) and I don't know what to do. Right now, I'm running ClamXAv to see what it finds. MacScan found nothing. Any help would be appreciated. Thanks.
Experts at SophosLabsâ„¢, Sophos's global network of virus, spyware and spam analysis centers, have announced the discovery of the first virus for the Apple Mac OS X platform. The virus, named OSX/Leap-A (also known as OSX/Oompa-A) spreads via instant messaging systems.
The OSX/Leap-A worm spreads via the iChat instant messaging system, forwarding itself as a file called latestpics.tgz to contacts on the infected users' buddy list. When the latestpics.tgz archive file is opened on a computer it disguises its contents with a JPEG graphic icon in an attempt to fool people into thinking it is harmless.
Some owners of Mac computers have held the belief that Mac OS X is incapable of harboring computer viruses, but Leap-A will leave them shellshocked.
The worm uses the text "oompa" as an infection marker in the resource forks of infected programs to prevent it from reinfecting the same files.
"Some owners of Mac computers have held the belief that Mac OS X is incapable of harboring computer viruses, but Leap-A will leave them shellshocked, as it shows that the malware threat on Mac OS X is real," said Graham Cluley, senior technology consultant for Sophos. "Mac users shouldn't think it's okay to lie back and not worry about viruses."
Sophos customers have been automatically protected against the worm since 12:25 GMT, 16 February 2006.
"This is the first real virus for the Mac OS X platform," continued Cluley. "Apple Mac users need to be just as careful running unknown or unsolicited code on their computers as their friends and colleagues running Windows."
Sophos advises all computer users, whether running PCs or Macs, to practise safe computing and keep their anti-virus software updated.
Is Leap-A a virus or a Trojan?
Some members of the Apple Macintosh community have claimed that OSX/Leap-A is a Trojan horse, and not a virus or worm, because it requires user interaction (the user has to receive a file via iChat, and manually choose to open and run the file contained inside).
However, this is not the definition of a Trojan horse.
A Trojan horse is a seemingly legitimate computer program that has been intentionally designed to disrupt and damage computer activity. Importantly, Trojan horses do not replicate or have any mechanism of spreading themselves. They have to be deliberately planted on a website, or accidentally shared with another user, or spammed out to email addresses. There is nothing inside a Trojan's code to distribute themselves further to other victims.
Trojan horses do not contain any code to distribute or spread themselves, viruses and worms do.
OSX/Leap-A is programmed to use the iChat instant messaging system to spread itself to other users. As such, it is comparable to an email or instant messaging worm on the Windows platform. Worms are a sub category of the group of malware known as viruses.
Therefore, it is correct to call OSX/Leap-A a virus or a worm. It is not correct to call OSX/Leap-A a Trojan horse.
This is one of many. All the users out their that assume they will remain safe are in denial. More harmful material is being aimed at Mac daily.
I use no AV ware, and I consider myself safe, I just thought I'd offer good reading.
This is not my situation. This was not passed THROUGH the messengering system, but was downloaded WITH the system. This IS a trojan. I googled it and found several pages about it, but no one gives any removal solutions.
Can you reference any of the pages you found on Google? I mean English speaking pages. I didn't find one mention of any virus or Trojan with QQ in the name that has ever been authenticated by anyone to run on any version of Mac OSX.
Really? A Mac trojan that has so far eluded all the of the security web sites that love to announce the latest trojan for the Mac, only to find that the file they are talking about is a program than must be downloaded, installed, and authenticated with a password... Let's see, 250 million QQ users - in a environment built for Trojans, but no mention of a Mac Trojan from Symantec, Sophos, McAfee, Grisoft.
I know. It must speak Chinese Unix! That would sure confuse me.
Haha. Thank you for your reply. It was my friend who found those pages so I don't have them to reference, but will have her send them to me when she gets off work. She's very Mac savvy and was shocked with what she saw. The page could very well have not been in English-- we are both Chinese speakers-- so I don't know what she saw. I am just confused right now as to what to do. This is just really surprising.
smithrj wrote:
Experts at SophosLabsâ„¢, Sophos's global network of virus, spyware and spam analysis centers, have announced the discovery of the first virus for the Apple Mac OS X platform. The virus, named OSX/Leap-A (also known as OSX/Oompa-A) spreads via instant messaging systems.
etc
etc
etc
Ray,
If you are going to quote, verbatim, an article then at least provide a link to the original. Else people will think you were the originator of the above; which, of course, you are not. Here's the original article:
Hackers using a new scam continue to subvert hundreds of thousands of Web pages with IFrame redirects that send unwary users to malware-spewing sites, researchers said today.
+Password-stealing hackers infect thousands of Web pages+
Hackers looking to steal passwords used in popular online games have infected more than 10,000 Web pages in recent days.
The Web attack, which appears to be a coordinated effort run out of servers in China...
There were problems around Dec/Jan where normal site's had SQL infections, that lived on in Google's caches, and ad-servers, serving up phony alerts and malware.
Oh, and the Firefox extension "flashgot" was infected and able to affect a number of users temporarily - users add the extension to their 'safe list' assuming it is a normal update.
None that compromise OS X, but seeing these things happen, like popup telling you "your system appears to be infected, click here for a scan" were showing up briefly.
The last article definitely sounds related to my problem. I believe my problem came in through QQ messenger, which I would put in the same category as a game and is definitely run off of a Chinese server. Knowing this, is there any recommendations anyone would have?
New development. I was googling around some more and found information on iAdware. This could be what I'm suffering from. It says iAdware is a trojan that is aimed at Macs and it stores the info in your Library. The articles were older, but still seem applicable. Does anyone know anything about iAdware and what I can do if that's my problem?
YOu could see if ClamXav sees anything, or the demo of Intego VirusBarrier X5.
There is an adware / malware that does have an OS X payload/package that tries to first download (you have to click on) and then it tries, like many, to pull in its real payload.
Thanks for your help, but I've tried all those with no avail before! I really am at a total loss, and thank you again everyone for your advice and suggestions.
Here's a description of the Tencent QQ Trojan. If you look through some of the code, you'll see it's a Windows only Trojan. So even if it is on your Mac, it can't do anything. Symantec's site also catalogues it as a Windows only Trojan since it only affects ActiveX modules in Internet Explorer.
Though if you are of course running Windows on your Mac in some way, then you can get infected in the Windows environment.
This document discusses the technologies used in malware. These include viruses, Trojans and worms. The specific intention is to bring forth detailed discussion on how this affects the Apple Mac OS X platform. The document outlines a potential framework for a Mac OS X malware suite. The document closes with recommendations on what Apple Inc, and users of Mac OS X can do to defend against such technology.
This paper was created to outline the results of research performed by the MacForensicsLab.com research and development team. These results are presented to the public in order to raise awareness of the situation and to prompt the relevant responsible parties to address the issues outlined within.
The MacForensicsLab.com staff and SubRosaSoft.com Inc consider it important to bring such discussions out into the public and welcomes all opportunities to discuss the paper on info@subrosasoft.com.
This document is also available in a 50 MB academic white paper format as a PDF file
MacSweeper is malware that misleads users by exaggerating reports about spyware, adware or viruses on their computer. It is the first known "rogue" application for the Mac OS X operating system. The software was discovered by F-Secure, a Finland based computer security software company on January 17, 2008
😟 So I reinstalled the OS on my computer-- completely reimaged, lost everything. Problem is, the trojan is STILL HERE! What the **** is wrong? What do I do now?
Did you do an upgrade or clean install?
If I was that worried I would boot from the install disc one night and run disc utility form there. Select the option to erase the HD, (using zero out or 7 Pass), and then in the morning when its complete. Reinstall the MacOS.
