Apple Intelligence is now available on iPhone, iPad, and Mac!

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

ursnif infection

Good morning everyone,

I'm writing here because this morning I've accidentally opened an attachment from an e-mail that I have discovered is the Ursniff trojan. Can you calm me please ? Is it a windows trojan only ? Is there the possibility I infected my iMac? Let me know please. Sorry for my bad english and thank you.

iMac 27" 5K, macOS 10.14

Posted on May 16, 2019 1:22 PM

Reply
Question marked as Top-ranking reply

Posted on May 16, 2019 5:38 PM

Ok. Done. Thank you very much for your instructions. I deleted the file Normal.dotm and after emptied the trash I relaunched word again. Now, there is a new normal.dotm created into the previous destination. Fortunately I didn't create any other word documents. Now, Do you think there could be other risks? I could reset the hard drive if necessary. Or maybe I'm just too paranoic :) I just want to be sure to be safe. I always use my iMac also to do bank operations...

7 replies
Question marked as Top-ranking reply

May 16, 2019 5:38 PM in response to Kurt Lang

Ok. Done. Thank you very much for your instructions. I deleted the file Normal.dotm and after emptied the trash I relaunched word again. Now, there is a new normal.dotm created into the previous destination. Fortunately I didn't create any other word documents. Now, Do you think there could be other risks? I could reset the hard drive if necessary. Or maybe I'm just too paranoic :) I just want to be sure to be safe. I always use my iMac also to do bank operations...

May 16, 2019 2:29 PM in response to pandrid

Okay, you didn't say before what it was you got the file as. I assumed a typical Windows attachment such as an .exe or other item that works only with Windows.


An Office macro is pretty much the only Windows malware that can infect a Mac, so to speak. And it still can't unless you allow the macro to run after Word or Excel warns you the document has one. Unfortunately, you did.


The good news is the infection still can't do anything to a Mac. The bad news is any macro that's run becomes part of the Normal.dotm template. What happens then is every single Word document you save after that will now include this Windows macro virus.


Back to the good news, it's easy to get rid of. Close Word. Assuming you're running Office 2016 or newer, go to this folder in your user account:


/Users/your_account/Library/Group Containers/UBF8T346G9.Office/User Content/Templates/


Delete the file, Normal.dotm .


Launch Word. It will be forced to create a new default template and the macro virus will be gone. Unless, that is, you open any Word document you've created since infecting the previous template and once again allow the embedded macro to run (don't do that).


If you have created any infected documents, open a new blank document. Open the infected document and do not allow the macro to run. Copy/paste the document content into the blank document. Close and delete the infected file. Save the new file as the previous name. Repeat until all Word documents you many have created that include the macro have been replaced with clean versions.

ursnif infection

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.