new malware disguised as flash installer

Macworld magazine made note of it here. I haven't seen a way to remove it yet.

In the future, never, never ever trust any third party site that says you need to install Flash. Get it from Adobe ONLY. If after that a site still says you need to install Flash or update it, you know they're full of it.

More info on it here. There currently seems to be no manual method of removing it. It's a rather nasty Trojan too, as it turns off network security features and redirects personal information to remote servers. So as usual lately, the goal is to nab things like passwords, bank account numbers, etc. In other words, DO NOT use your Mac for anything that may expose sensitive information until you can clean it off your system.

Intego says their current VirusBarrier X6 can detect and remove this malware.

The malware apparently installs this file:

~/Library/Preferences/Preferences.dylib

Removing that file may be sufficient, though I'm not certain. Pending further information, it may be best to back up your documents, erase your drive, and reinstall Mac OS X and your applications.

I see nothing to indicate that this malware only affects Lion, BTW, though the installer may be labeled as being Flash for Lion, so don't presume you're safe running Snow Leopard; your system may well now be open to further attack.

Regards.

Short article on this here.

http://blog.intego.com/2011/09/26/

I got carless and got infected on my desktop the other day. Oh well, this is the first time ever since I got my original Fat Mac eons ago.

A couple of things. First I tried deleting the evil "Preferences.dylib" file and that ended up breaking my user login. So that does not seem to be an easy way to get rid of this beast.

Secondly the thing that got me curious was the contextual menus in Finder started showing up with strange entries like "A13" instead of "Open". This got me searching and lead me to this thread. I don't know for sure that this directly related but the timing is suspicious.

The information on the Intego sites indicates that they can detect it but I am not clear if they completely remove it. The big problem seems that it will inject itself into any application that you have run. UGGGG!

So I am going to download the Intego Virus Barrier demo onto my uninfected lap top run the scan there and then reboot my desktop with the internet disconnected move Virus Barrier over there and scan the whole system and see what that finds.

I will post may results back here.

-louie

Although that Intego articlementions that ~/Library/Preferences/Preferences.dylib gets installed it doesn't go into any details. Given that it is installed in a user's local preferences I have to think there's got to be a way to use that code again if the user logs off and back on again. So I would think there should also be something in ~/Library/LaunchAgents (or user's Accounts login items but that too obvious).

When rooted out, if you are using Little Snitch, I would check its settings. Similarly any other network settings.

I don't have that installer. But it should be obvious what gets installed where simply by examining it with Pacifist (also looking at the pre and postflight scripts if any).

Ralph Deen wrote:

I'm a dummy....fell for the ruse, any ideas on how to get rid of this new malware?

The AV community clearly needs more information about this threat in order to answer your question, so if you still have the file ~/Library/Preferences/Preferences.dylib can you upload it to http://www.virustotal.com/. If the entry next to clamav does not show anything then also upload it to http://cgi.clamav.net/sendvirus.cgi and in the description box include the keyword "macos". Also do this with the Flash installer file if it's still there, but it supposedly destroys itself after doing whatever it does.

Most importantly, can you figure out the URL of where you found it (check your browser history)? Please don't post it here, instead, go to http://mailinator.com/, create a mailbox, post it there and return here with the name you gave the mailbox.

Bingo there is an entry in ~/Library/LaunchAgents/com.apple.SystemUI.plist with the path to Preferences.dylib. So that may be what is restarting it and why my login is hanging one I removed the bad file.

I can't seem to get an editor to run from the Terminal that I am running off of my install DVD.

What happens if I delete the SystemUI.plist file. Anything terrible that I will mess up?

-louie

Just read this from MacWorlds email link.

But I am not sure how we would know if I have it.

I have had some pop ups saying Flash seems to have crashed.Mainly on Youtube videos.

Is my MBP infected.

What signs do I look for. I am 99% certain I have not downloaded anything but 1% of me says maybe!

Thanks

I am using 10.6.8

I just ran software update and nothing new was found.

so is the update a remote piece of software?

Sorry I am not used to this on my MAC, been a 'user' since 2002 and never worried before.

Louie Sherwin wrote:

...What happens if I delete the SystemUI.plist file. Anything terrible that I will mess up?

Well I'm not the best source of info on this as I'm running Leopard, but that file doesn't exist anywhere on my Mac.

I have had some pop ups saying Flash seems to have crashed.Mainly on Youtube videos.

That's just an error message, not an attempt to get you to download and install software.

Is my MBP infected?

If you've downloaded and installed Flash only from Adobe's web site, then no. Ignore any other site's attempt to convince you to install any software they are not the distributors of.

What signs do I look for. I am 99% certain I have not downloaded anything but 1% of me says maybe!

Not sure. From what's published on it so far, you wouldn't see any obvious activity, which is the point. Everything they want the Trojan to do happens in the background.

I just ran software update and nothing new was found.

Software Update is only for updating Apple software, such as OS X, Final Cut Studio, iLife, etc. It doesn't check for any updates from third party vendors.

so is the update a remote piece of software?

Yes, Flash is supplied by Adobe. You can get the real thing here.

Sorry I am not used to this on my MAC, been a 'user' since 2002 and never worried before.

There's always something to worry about, no matter what OS you're using. You just have to be vigilant, more than anything else. For now, viruses are still non existent. What few OS X exploits there are, are Trojans. Software that requires you to fall for some supposed value it has and installing it yourself.

MadMacs0 wrote:

Louie Sherwin wrote:

...What happens if I delete the SystemUI.plist file. Anything terrible that I will mess up?

Well I'm not the best source of info on this as I'm running Leopard, but that file doesn't exist anywhere on my Mac.

Yes this looks like part of what this things installs.

I was able to logon via my guest account and create a brand new administrator account on my infected system. This file seems to only refer to the bad code placed on my systerm.

I deleted it and I still cannot login to my home account. It accepts my password and just hangs forever with a blank screen. I have to reboot.

-louie

Shirley Drabble1 wrote:

Just read this from MacWorlds email link.

But I am not sure how we would know if I have it.

I have had some pop ups saying Flash seems to have crashed.Mainly on Youtube videos.

Is my MBP infected.

What signs do I look for. I am 99% certain I have not downloaded anything but 1% of me says maybe!

Thanks

I am using 10.6.8

I just ran software update and nothing new was found.

so is the update a remote piece of software?

Sorry I am not used to this on my MAC, been a 'user' since 2002 and never worried before.

One of the things that started happening is some sites with flash stopped loading. To know for sure if you are infected look for the "Preferences.dylib" file in your user Library/Preferences folder. If that is there then you are infected.

-louie

Sorry I meant do Apple have the software built remotely so we don't have to download it.

I tried spotlight for that .dylib file but the results were inconclusive. I am guessing SPotlight doesn't look in libraries

What if anything should I do now?

Thanks

Sorry I meant does Apple have the software built remotely so we don't have to download it.

That's very vague. Unless you write and compile the software yourself, all software is built remotely and needs to either be purchased on disk or downloaded. What software are you referring to?