A mac virus?

I think you're right. I had the user run virusbarrier overnight and this morning it reported having found an osx/rsplug infection. I'm not onsite, so I sent him instructions for manually checking to see if he's still infected.

When he mentioned epoclick pop-ups that sent me barking up the wrong tree.

There are no viruses for the Mac. Someone keeps deleting posts pointing this out, but that doesn't change the facts.

There was actually a Mac Trojan Horse recently. Check it out:

http://www.macworld.com/article/60819/2007/10/trojan.html

http://osxdaily.com/2010/10/27/mac-trojan-horse-discovered-boonanakoobface/

http://www.ehow.com/how2128387remove-osxrspluga-trojan-horse-mac.html

Just a possibility.

Hope this helps

There are no viruses for the Mac.

RSPlug is a real, no joke trojan.

Thomas A Reed wrote:

There are no viruses for the Mac.

RSPlug is a real, no joke trojan.

Exactly. Trojan horses and viruses being two entirely different things.

(In particular, trojan horses require the explicit interaction of the user, so if you're careful they will not affect your machine.)

There was actually a Mac Trojan Horse recently.

Two of the links you posted refer to RSPlug, a trojan that is more than three years old. Hardly recent, and already mentioned countless times on this thread. As to Boonana/Koobface, that is not remotely relevant to the problems described on this thread.

I don't want to start sounding like a broken record, so I won't post a link to my malware guide again... anyone who is actually reading the posts on this thread will have seen the link numerous times.

Moderators, can we please lock this thread? Nothing new has been said here in several weeks. Folks are just repeating the same old stuff without reading anything preceding, and usually it's wrong or irrelevant.

I think you're wrong in one point: there's a new information about the XProtect Apple's Mac OS X 10.6.x technology (From the user "Balaam"). RSPlug is normally blocked by Mac OS X 10.6, but it seems the threat has evolved in such a way XProtect doesn't handle it now. I'm going to send a bug report to alert the security team.

But we can consider this thread closed as the user discovered the trojan on his mac. There's a great documentation on your site to help him fighting the malware.

Message was edited by: joblard

there's a new information about the XProtect Apple's Mac OS X 10.6.x technology (From the user "Balaam").

The user "Balaam" where? If you're going to make these sorts of statements, you need to provide a verifiable source.

RSPlug is normally blocked by Mac OS X 10.6, but it seems the threat has evolved in such a way XProtect doesn't handle it now.

That is certainly possible, though it's not something I had heard. I'd be very curious about where you heard this.

A Google search shows that Intego claimed, over a year ago, that XProtect did not catch a couple variants of RSPlug. However, given how easy it would be for Apple to update the definitions, I would be extremely surprised if they hadn't added those definitions, unless they have reason to believe those variants are not viable for some reason. But, I find no recent mention of new RSPlug variants.

But we can consider this thread closed as the user discovered the trojan on his mac.

Agreed. So much of this topic at this point has become re-chewing old food.

Thomas A Reed wrote:

The user "Balaam" where? If you're going to make these sorts of statements, you need to provide a verifiable source.

User Balaam in that thread, just 7 messages before your post.

He wrote that VirusBarrier detected a RSPlug threat on a mac with 10.6

User Balaam in that thread, just 7 messages before your post.

He wrote that VirusBarrier detected a RSPlug threat on a mac with 10.6

So then where do you get your information that RSPlug has evolved to bypass XProtect? There are many explanations for RSPlug being found on a 10.6 system. Perhaps it was there prior to upgrading to 10.6. Perhaps it was downloaded via some software that bypasses the quarantine system, such as some torrent software or an old or poorly-coded browser. Perhaps it was downloaded on an old machine - or even a Windows machine - and copied to the 10.6 machine. Perhaps the user who installed it was enough of a doofus not to pay attention to the warning. ("Everyone knows Macs don't get viruses, right, so this warning can't possibly be accurate!") Unfortunately, there are many ways that the unwary user can bypass the protection in Snow Leopard, but the only other alternative is periodic obtrusive, system-slowing scans, which are overkill for the current malware threat level.

The users spewing this screed are always new, single issue posters. Hmmm....

Thomas you are correct. I usually do a bit more research. I apologize.

Won't be in such a rush from now on.

Since my original post is the cause for this debate, let me mention a few things. It was not there prior to upgrading to 10.6. The user in question doesn't use torrents, although they may be guilty of not upgrading their browser when prompted. It wasn't downloaded from an old machine or a windows box.
I haven't checked with the user (and even then, end users do one thing and say another) but it's entirely possible that the user was a doofus and clicked OK without even reading the dialog box.

Upgrading their browser is not an issue. The problem is unrelated to viruses.

The problem is unrelated to viruses.

So you said earlier, and while correct, you are being dismissive to a very real problem. Balaam's user has a verified RSPlug infection. So you're right, it has nothing to do with viruses, it has to do with trojans. But Balaam never said anything about viruses, so I wonder why you bring it up yourself.