Previous 1 2 3 Next 38 Replies Latest reply: Mar 19, 2008 5:35 AM by BillA1016
BillA1016 Level 1 (0 points)

After researching on Google, my friend and I have determined that I have the Tencent QQ trojan. I'm not surprised that its a QQ trojan because I use QQ (an instant messenger service in China). Apparently, the company openly recognizes that they put malware on your computer, but I never investigated it, never knew it, and assumed it could never happen on a Mac. My situation now is that I have this trojan (which exists on a Mac, according to several pages I found on Google) and I don't know what to do. Right now, I'm running ClamXAv to see what it finds. MacScan found nothing. Any help would be appreciated. Thanks.

MacBook Pro, Mac OS X (10.5.2)
  • smithrj Level 4 (1,540 points)
    Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have announced the discovery of the first virus for the Apple Mac OS X platform. The virus, named OSX/Leap-A (also known as OSX/Oompa-A) spreads via instant messaging systems.

    The OSX/Leap-A worm spreads via the iChat instant messaging system, forwarding itself as a file called latestpics.tgz to contacts on the infected users' buddy list. When the latestpics.tgz archive file is opened on a computer it disguises its contents with a JPEG graphic icon in an attempt to fool people into thinking it is harmless.

    Some owners of Mac computers have held the belief that Mac OS X is incapable of harboring computer viruses, but Leap-A will leave them shellshocked.

    The worm uses the text "oompa" as an infection marker in the resource forks of infected programs to prevent it from reinfecting the same files.

    "Some owners of Mac computers have held the belief that Mac OS X is incapable of harboring computer viruses, but Leap-A will leave them shellshocked, as it shows that the malware threat on Mac OS X is real," said Graham Cluley, senior technology consultant for Sophos. "Mac users shouldn't think it's okay to lie back and not worry about viruses."

    Sophos customers have been automatically protected against the worm since 12:25 GMT, 16 February 2006.

    "This is the first real virus for the Mac OS X platform," continued Cluley. "Apple Mac users need to be just as careful running unknown or unsolicited code on their computers as their friends and colleagues running Windows."

    Sophos advises all computer users, whether running PCs or Macs, to practise safe computing and keep their anti-virus software updated.

    Is Leap-A a virus or a Trojan?
    Some members of the Apple Macintosh community have claimed that OSX/Leap-A is a Trojan horse, and not a virus or worm, because it requires user interaction (the user has to receive a file via iChat, and manually choose to open and run the file contained inside).

    However, this is not the definition of a Trojan horse.

    A Trojan horse is a seemingly legitimate computer program that has been intentionally designed to disrupt and damage computer activity. Importantly, Trojan horses do not replicate or have any mechanism of spreading themselves. They have to be deliberately planted on a website, or accidentally shared with another user, or spammed out to email addresses. There is nothing inside a Trojan's code to distribute themselves further to other victims.

    Trojan horses do not contain any code to distribute or spread themselves, viruses and worms do.

    OSX/Leap-A is programmed to use the iChat instant messaging system to spread itself to other users. As such, it is comparable to an email or instant messaging worm on the Windows platform. Worms are a sub category of the group of malware known as viruses.

    Therefore, it is correct to call OSX/Leap-A a virus or a worm. It is not correct to call OSX/Leap-A a Trojan horse.

    This is one of many. All the users out their that assume they will remain safe are in denial. More harmful material is being aimed at Mac daily.

    I use no AV ware, and I consider myself safe, I just thought I'd offer good reading.

  • BillA1016 Level 1 (0 points)
    This is not my situation. This was not passed THROUGH the messengering system, but was downloaded WITH the system. This IS a trojan. I googled it and found several pages about it, but no one gives any removal solutions.
  • dechamp Level 4 (3,490 points)
    Hit wrong button.

    Message was edited by: dechamp
  • dechamp Level 4 (3,490 points)
    Can you reference any of the pages you found on Google? I mean English speaking pages. I didn't find one mention of any virus or Trojan with QQ in the name that has ever been authenticated by anyone to run on any version of Mac OSX.

    Really? A Mac trojan that has so far eluded all the of the security web sites that love to announce the latest trojan for the Mac, only to find that the file they are talking about is a program than must be downloaded, installed, and authenticated with a password... Let's see, 250 million QQ users - in a environment built for Trojans, but no mention of a Mac Trojan from Symantec, Sophos, McAfee, Grisoft.

    I know. It must speak Chinese Unix! That would sure confuse me.

    I'll wait for the movie with subtitles.
  • BillA1016 Level 1 (0 points)
    Haha. Thank you for your reply. It was my friend who found those pages so I don't have them to reference, but will have her send them to me when she gets off work. She's very Mac savvy and was shocked with what she saw. The page could very well have not been in English-- we are both Chinese speakers-- so I don't know what she saw. I am just confused right now as to what to do. This is just really surprising.
  • -Kryten- Level 4 (1,480 points)
    smithrj wrote:
    Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have announced the discovery of the first virus for the Apple Mac OS X platform. The virus, named OSX/Leap-A (also known as OSX/Oompa-A) spreads via instant messaging systems.



    If you are going to quote, verbatim, an article then at least provide a link to the original. Else people will think you were the originator of the above; which, of course, you are not. Here's the original article:

  • The hatter Level 9 (60,930 points)
    TrendMicro users hit: d=9068478

    Hackers using a new scam continue to subvert hundreds of thousands of Web pages with IFrame redirects that send unwary users to malware-spewing sites, researchers said today. Name=security&articleId=906840

    +Password-stealing hackers infect thousands of Web pages+
    Hackers looking to steal passwords used in popular online games have infected more than 10,000 Web pages in recent days.
    The Web attack, which appears to be a coordinated effort run out of servers in China... Name=spam_malware_andvulnerabilities&articleId=9068219&taxonomyId=85

    There were problems around Dec/Jan where normal site's had SQL infections, that lived on in Google's caches, and ad-servers, serving up phony alerts and malware.

    Oh, and the Firefox extension "flashgot" was infected and able to affect a number of users temporarily - users add the extension to their 'safe list' assuming it is a normal update.

    None that compromise OS X, but seeing these things happen, like popup telling you "your system appears to be infected, click here for a scan" were showing up briefly.
  • BillA1016 Level 1 (0 points)
    The last article definitely sounds related to my problem. I believe my problem came in through QQ messenger, which I would put in the same category as a game and is definitely run off of a Chinese server. Knowing this, is there any recommendations anyone would have?
  • BillA1016 Level 1 (0 points)
    New development. I was googling around some more and found information on iAdware. This could be what I'm suffering from. It says iAdware is a trojan that is aimed at Macs and it stores the info in your Library. The articles were older, but still seem applicable. Does anyone know anything about iAdware and what I can do if that's my problem?
  • The hatter Level 9 (60,930 points)
    YOu could see if ClamXav sees anything, or the demo of Intego VirusBarrier X5.

    There is an adware / malware that does have an OS X payload/package that tries to first download (you have to click on) and then it tries, like many, to pull in its real payload.
  • BillA1016 Level 1 (0 points)
    Thanks for your help, but I've tried all those with no avail before! I really am at a total loss, and thank you again everyone for your advice and suggestions.
  • Kurt Lang Level 8 (36,645 points)
    Here's a description of the Tencent QQ Trojan. If you look through some of the code, you'll see it's a Windows only Trojan. So even if it is on your Mac, it can't do anything. Symantec's site also catalogues it as a Windows only Trojan since it only affects ActiveX modules in Internet Explorer.

    Though if you are of course running Windows on your Mac in some way, then you can get infected in the Windows environment.
  • Klaus1 Level 8 (47,745 points)
    Yes, Trojans are possible on the Mac.

    Malware On Mac OS X - Viruses, Trojans, and Worms

    This document discusses the technologies used in malware. These include viruses, Trojans and worms. The specific intention is to bring forth detailed discussion on how this affects the Apple Mac OS X platform. The document outlines a potential framework for a Mac OS X malware suite. The document closes with recommendations on what Apple Inc, and users of Mac OS X can do to defend against such technology.

    This paper was created to outline the results of research performed by the research and development team. These results are presented to the public in order to raise awareness of the situation and to prompt the relevant responsible parties to address the issues outlined within.

    The staff and Inc consider it important to bring such discussions out into the public and welcomes all opportunities to discuss the paper on

    This document is also available in a 50 MB academic white paper format as a PDF file

    Also, beware of MacSweeper:

    MacSweeper is malware that misleads users by exaggerating reports about spyware, adware or viruses on their computer. It is the first known "rogue" application for the Mac OS X operating system. The software was discovered by F-Secure, a Finland based computer security software company on January 17, 2008
  • BillA1016 Level 1 (0 points)
    So I reinstalled the OS on my computer-- completely reimaged, lost everything. Problem is, the trojan is STILL HERE! What the **** is wrong? What do I do now?
Previous 1 2 3 Next