While browsing the Internet tonight, I clicked on a newspaper link and received an Apple Alert that a Trojan was detected on my MacBook Pro. My iPhoto was open in a separate window. All photo counts on the albums were flashing and bright red and white. And a file kept appearing in my downloads. I added the files to the trash and secure emptied it.
How can I be sure that my MacBook is not infected with a Trojan virus?
Macbook Pro, Mac OS X (10.6.4)
Trojan War
If you discover a trojan program is running on your computer then look to the following information for assistance:
1. A recent discussion on the Apple Support Communities: MacDefender Trojan.
2. An excellent site devoted to Mac Malware: Macintosh Virus Guide
3. Another site for removing MacDefende, et.al.: MAC Defender Rogue Anti-Virus analysis and Removal
Removing strange software can be a task. The following outlines various ways of uninstalling software:
Uninstalling Software: The Basics
Most OS X applications are completely self-contained "packages" that can be uninstalled by simply dragging the application to the Trash. Applications may create preference files that are stored in the /Home/Library/Preferences/ folder. Although they do nothing once you delete the associated application, they do take up some disk space. If you want you can look for them in the above location and delete them, too.
Some applications may install an uninstaller program that can be used to remove the application. In some cases the uninstaller may be part of the application's installer, and is invoked by clicking on a Customize button that will appear during the install process.
Some applications may install components in the /Home/Library/Applications Support/ folder. You can also check there to see if the application has created a folder. You can also delete the folder that's in the Applications Support folder. Again, they don't do anything but take up disk space once the application is trashed.
Some applications may install a Startup item or a Log In item. Startup items are usually installed in the /Library/StartupItems/ folder and less often in the /Home/Library/StartupItems/ folder. Log In Items are set in the Accounts preferences. Open System Preferences, click on the Accounts icon, then click on the LogIn Items tab. Locate the item in the list for the application you want to remove and click on the Delete [-] button to delete it from the list.
Some software use startup daemons or agents that are a new feature of the OS. Look for them in /Library/LaunchAgents/ and /Library/LaunchDaemons/ or in /Home/Library/LaunchAgents/.
If an application installs any other files the best way to track them down is to do a Finder search using the application name or the developer name as the search term. Unfortunately Spotlight will not look in certain folders by default. You can modify Spotlight's behavior or use a third-party search utility, Easy Find, instead. Download Easy Find at VersionTracker or MacUpdate.
Some applications install a receipt in the /Library/Receipts/ folder. Usually with the same name as the program or the developer. The item generally has a ".pkg" extension. Be sure you also delete this item as some programs use it to determine if it's already installed.
There are many utilities that can uninstall applications. Note that you must have this software installed before you install software you may need to uninstall. Uninstallers won't work if you install them after the fact. Here is a selection:
AppZapper
Automaton
Hazel
CleanApp
Yank
SuperPop
Uninstaller
Spring Cleaning
Look for them and others at VersionTracker or MacUpdate.
For more information visit The XLab FAQs and read the FAQs on removing software and dealing with spyware and malware.
After removing all the components of the software you may have to restart the computer to fully disable the software. This will be the case when removing software that has installed a daemon. After the daemon has been removed you need to restart the computer to stop the daemon. Alternatively, you can kill the daemon process using the Terminal application or Activity Monitor.
Phyllis A. King wrote:
While browsing the Internet tonight, I clicked on a newspaper link and received an Apple Alert that a Trojan was detected on my MacBook Pro. My iPhoto was open in a separate window. All photo counts on the albums were flashing and bright red and white. And a file kept appearing in my downloads. I added the files to the trash and secure emptied it.
How can I be sure that my MacBook is not infected with a Trojan virus?
Wow, your iPhoto was affected too? This thing has gotten a lot worse than before.
Download the free ClamXav it will quarantine the malware, unless this is a new breed of it. 😟
Can you give us your history so we can find this new malware and tell the ClamXav people so they can find it/write a new signature for it?
Thanks.
We think this works on Javascript, so you might want to turn that off first in your preferences.
Ds, I'm not sure how to give you my browser history or even if it is safe to revisit the history, or to download the ClamXav app if it doesn't come from Apple. I'm totally freaked out now! When I purchased my MacBook Pro I was told that there are no viruses out there to attack the Mac. Now in less that 3 months I have a problem.
There is no such Apple Alert. What you saw was likely just a Javascript pop-up. There is a harmless trojan circulating and getting everyone freaked out. There are no viruses for the Mac. If something like this happens again, just quit your web browser and then start it up again. You may have to hold down Option and Command and click the application in the Dock to force quit if the Javascript is really persistent. There is no need to securely empty your trash.
When I purchased my MacBook Pro I was told that there are no viruses out there to attack the Mac.
What you were told is true. There are no Mac viruses. A virus is a malicious program that spreads without any help from the computer user. As far as I know, that does not happen under Mac OS X.
You encountered a trojan, or more precisely, an attempt originating from a rogue website to get you to install a trojan. A trojan is a malicious program that spreads when the user is tricked into installing it. The installation depends on a voluntary act.
Trojans do exist for the Mac. They always have, although they've been rare until the last week or so, when a wave of attacks began.
It sounds like you did the right thing and deleted the trojan, rather than falling for the scam. I wish everyone who had that experience would do the same. If your Mac shows no more signs of unusual activity, I don't think you need to take any further action -- except for one thing. Open the Safari preferences window, click on the General tab, and uncheck the box labeled "Open safe files after downloading" if it's checked.
Naturally, you won't enter your password if prompted to do so unexpectedly, nor will you provide your credit card number in response to a warning or threat.
That said, the details you report seem quite different from what others have been seeing. It would be a service to the community if you would try to go back through your browser history to find the link to the rogue site. To do that, select "Show All History" from the History menu in Safari. The history window shows the sites you've recently visited in reverse chronological order (the most recent at the top.) If you remember any part of the name of a site, you can search for it in the window. If you do manage to find the link, please don't visit it again and don't post it here or anywhere on this site. Instead please email it to the following address:
macdefendertrojan@mailinator.net
When you've done that, kindly post a reply to this message to let me know, so I can distinguish your email from spam. If I'm able to download the trojan, I'll analyze it and post my findings publicly. Thanks.
Phyllis A. King wrote:
Ds, I'm not sure how to give you my browser history or even if it is safe to revisit the history, or to download the ClamXav app if it doesn't come from Apple. I'm totally freaked out now! When I purchased my MacBook Pro I was told that there are no viruses out there to attack the Mac. Now in less that 3 months I have a problem.
It's ok, we know this thing and it's not as bad as it appears. It's just wants money. 🙂
You visited the page fine, it's when you clicked on a JavaScript link that the malware started, that we know.
So it's not going to hurt if you visit the site again and copy the URL, paste it in a e-mail for Linc Davis to see for himself, make sure you tell him in the e-mail what link you clicked on.
Linc Davis is a real pro, he will fire that malware at the ClamXav people and it will get a update. Here's Linc Davis's email address again.
macdefendertrojan@mailinator.net
ClamXav is safe, your fine if you download and run it to clean your machine of anything, update the virus definitions and then File > Source List > Add to Source List and then select the name of your computers boot drive (and any other drives and devices connected) click Open.
The drives will appear on the left panel, click them all and then click Start Scan. It's going to take a bit. 🙂
If ClamXav see's something it knows, it will tell you and you can quarratine the bad file(s) making them inactive.
If it doesn't, try the same process a few days from now, perhaps someone else will catch it and we can identify it.
Follow these simple instructions to remove MacDefender.
http://www.macrumors.com/2011/05/02/new-macdefender-malware-threat-for-mac-os-x/
I'm not sure [...] if it is safe to [...] download the ClamXav app if it doesn't come from Apple.
It's safe. Download it from:
Of course, I'll wager it doesn't find anything, since it sounds like you removed the trojan and did not allow the installer to run. See if the screenshots here look familiar:
http://www.reedcorner.net/news.php/?p=110
(* Disclaimer: links to my pages may give me compensation.)
If they do, check out my article on Identifying and removing MacDefender trojans.
No need to freak out over this one, it's pretty much harmless as long as you're not fooled into installing it and then further fooled into "buying" the software, thus giving your credit card number to hackers.
When I purchased my MacBook Pro I was told that there are no viruses out there to attack the Mac. Now in less that 3 months I have a problem.
As Linc points out, this is still true. Kappy gave you a link to my Macintosh Virus Guide, which will describe the difference between viruses and trojans.
If you still feel mislead, keep in mind that every Mac trojan prior to April 30 was extremely rare and hard to find. On April 30, a major attack began, targeting both Windows users and, for the first time, Mac users with fake anti-virus scams. There is no way that the salesperson could have foreseen this situation as anything more than a possibility at some unknown point in the future.
Follow these simple instructions to remove MacDefender.
Those instructions are outdated and were never quite on the mark, so it might be best not to refer to them, especially since they're hosted on a rather low-quality site.
Not true at all. I've advised numerous users to follow these instructions with positive results.
Recent versions of the trojan are not called "MacDefender." An unsophisticated user who follows those instructions literally will not find it.
In addition to what the others have written, if you weren't prompted for your administrative password or if you didn't enter it, then your Mac is not infected.
William Boyd, Jr. wrote:
In addition to what the others have written, if you weren't prompted for your administrative password or if you didn't enter it, then your Mac is not infected.
Hey, William.
When Firefox and Chrome automatically update while being in a General User, without requesting a Administrative password, how exactly is that functioning?
My point is, since code can run in user space and still carry out it's objective of poisoning the machine or installing in the Finder menu, or performing other user level harassment, isn't the machine technically "infected" even though it don't have root access?
Firefox (at least) is installed by dragging. If you do a Finder "Get Info" of Firefox or Chrome, you'll notice in the "Sharing & Permissions" section of the "Get Info" window that it's owned by you, not by OS X. That's why you can update it without a password.
For such software there is some limited opportunity for mischief but, depending on settings, malware in that situation wouldn't be able to to install itself as a login item. Nor is there any chance for "poisoning the machine".
I'm not sure what you mean by "installing in the Finder menu".
For such software there is some limited opportunity for mischief but, depending on settings, malware in that situation wouldn't be able to to install itself as a login item.
Why not? No special privileges are needed to add a login item. If you mean it can't install a (root) launchd item, that's true, but the current wave of trojans doesn't do that.
The potential for mischief is almost unlimited in the way most people use a Mac: running all the time with write access to almost everything in /Applications and /Library. There's absolutely nothing to stop a trojan from replacing all or any part of an existing application -- no privilege escalation needed. In view of what's going on now, I expect that to happen soon.
Trojan detected message while using Safari
