-
All replies
-
Helpful answers
-
Sep 28, 2011 11:38 AM in response to Louie Sherwinby pcbjr,See a bunch of stuff, but no .MacOSX
Is the command a 1 or I (one or capital I)?
This is all I get:
. .crash_report_frames Movies
.. .crash_report_preview Music
.CFUserTextEncoding .cups Pictures
.DS_Store Desktop Public
.Trash Documents Sites
.bash_history Downloads
.crash_report_checksum Library
-
Sep 28, 2011 11:38 AM in response to pcbjrby Linc Davis,Files with names that begin with a "." (period) are hidden in the Finder. Launch the Terminal application and copy or drag -- do not type -- the following text into the window, then press return:
rm -r .MacOSX
You can then quit Terminal.
-
Sep 28, 2011 11:45 AM in response to Linc Davisby pcbjr,Did that and get only this:
$ rm -r .MacOSX
rm: .MacOSX: No such file or directory
-
Sep 28, 2011 11:46 AM in response to Linc Davisby cathy fasano,Don't go telling people to delete their .MacOSX directory. I have a completely legit environment.plist file in mine, from 2007 -- it contains this code:
% cat ~/.MacOSX/environment.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PATH</key>
<string>/sw/bin:/sw/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin</string>
</dict>
</plist>
-
Sep 28, 2011 11:51 AM in response to pcbjrby Linc Davis,No such file or directory
Then it's already gone, or was never there.
-
Sep 28, 2011 11:54 AM in response to Linc Davisby Louie Sherwin,Linc Davis wrote:
@Linc - see the pkg at mailinator, I've sent the url again.
Thanks. The installer does not need root privileges to run. The BOM file contains only an empty text file; the payload is entirely contained in the "preinstall" executable, which in this case is a binary. It installs the files listed below, attempts to disable "Little Snitch" (if present), loads a launchd job, and relaunches Safari and Firefox.
Here is a complete list of the files installed:
- .MacOSX/environment.plist
- Library/LaunchAgents/com.apple.SystemUI.plist
- Library/Preferences/perflib
- Library/Preferences/Preferences.dylib
- Library/Logs/swlog
Thanks Linc,
It seems that file 5 is replaced by a text file "softwareupdate" or I was infected by a slightly different variant. This file I found in the Logs directory had two hex strings and was created on the day I was infected and modified one day later.
-louie
Message was edited by: Louie Sherwin
-
Sep 28, 2011 11:58 AM in response to cathy fasanoby Linc Davis,Don't go telling people to delete their .MacOSX directory.
Why not?
I have a completely legit environment.plist file in mine, from 2007 -- it contains this code...
Which belongs in your shell initialization file, not in the file that sets the environment for all launchd sub-processes. In any case, the trojan replaces the existing file.
-
Sep 28, 2011 12:03 PM in response to Linc Davisby andyBall_uk,>> File 1 is an empty plist, merely a placeholder at this stage, apparently.
not here : it had the following content
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DYLD_INSERT_LIBRARIES</key><string>/Users/xyz/Library/Preferences/Preferenc es.dylib</string> <key>DYLD_INSERT_LIBRARIES</key><string>/Users/xyz/Library/Preferences/Preferen ces.dylib</string>
</dict>
</plist>
-
Sep 28, 2011 12:00 PM in response to cathy fasanoby MadMacs0,cathy fasano wrote:
I have a completely legit environment.plist file in mine, from 2007
As do I, but it's from 2005 and contains:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>QDTEXT_ANTIALIASING</key>
<string>1</string>
<key>QDTEXT_MINSIZE</key>
<string>12</string>
</dict>
</plist>
-
Sep 28, 2011 12:03 PM in response to Ralph Deenby cathy fasano,Does anybody else have an application 'Adobe Flash Player Install Manager' in their /Applications/Utilities directory? Mine was installed there Sep 21, 2011 at 10:17 AM, while the install_flash_player_osx_intel.dmg in my downloads directory is timestamped Sep 21, 2011 at 10:06 AM
-
Sep 28, 2011 12:07 PM in response to MadMacs0by Linc Davis,That file is really intended only for developers to use while testing. It would be a good idea, in my opinion, for anyone who doesn't know he needs the file to delete it.
-
Sep 28, 2011 12:10 PM in response to cathy fasanoby Linc Davis,Does anybody else have an application 'Adobe Flash Player Install Manager' in their /Applications/Utilities directory?
Not part of the trojan, at least not the one I saw.
-
Sep 28, 2011 1:03 PM in response to Linc Davisby cathy fasano,Thanks, Linc, I am becoming pretty confident that the Flash upgrading itself activity I have been seeing is legitimate "automatic update" behavior, and not malware. So I've turned off automatic update and consider myself lucky that I dodged this bullet.
-
Sep 28, 2011 1:10 PM in response to cathy fasanoby WZZZ,Don't turn off automatic update. If you get a notice to update it may be real and by turning off auto update you may not realize there's an update for quite some time. Many, if not most, of the Flash updates are patches for "critical" vulnerabilities, which appear relentlessly.
Of course, don't click on any link provided by an update notification. But use the notification to visit the Adobe site to see if there really is an update.
You can easily check for updates in the Advanced panel of the Flash Player Preference Pane in Sys Prefs.
-
Sep 28, 2011 1:47 PM in response to WZZZby cathy fasano,I installed the update that I downloaded from the adobe site, and my version went from 10.3.183.7 to 10.3.183.10. Turned automatic update back on, and have now resolved that when the suto updates appear I'll kill them and head for the adobe site and do the update manually.