Possible new version of Flashback trojan

I just downloaded that AiseesoftFLVConverter.so_OLD file. At the time I am posting this what I can tell you about it is that it is executable code (works for either x86 or x86_64). I can disassemble it. But I haven't as yet looked through the code. I thought I would just mention this right now.

Well I can't say much. by looking at the code.

Since DYLD_INSERT_LIBRARIES is defined in .MacOSX/environment.plist then obviously there is another piece of code that uses DYLD_INSERT_LIBRARIES. I have to assume that must be in ~/Library/LaunchAgents since the affects if I recall are account specific. The file in ~/Library/LaunchAgents must use the DYLD_INSERT_LIBRARIES environment variable to call the AiseesoftFLVConverter.so_OLD code. And without seeing the launchagent I assume most of the damage is done by AiseesoftFLVConverter.so_OLD. This organization, if I recall, is not much different than the original strain.

As for AiseesoftFLVConverter.so_OLD itself. I can't say much. It's C++ code using STL with all of the non-library symbols stripped. A couple of the (I assume key) strings are encrypted. The code manufactures a small chunk of javascript (that's in the clear). I see references in the code generating url's and GET which may mean it is trying to download something (if that is the case Little Snitch could block it). I also see a reference to the string "/Users/Shared/" so maybe there's something down in there as well. Similarly for "/Applications/Safari.app/Contents/Resources/".

So this code could be trying to "spay" stuff into various other chunks of code. Insidious.

That's all I can deduce so far.

I've posted the file to both Virus Total and clamav.net using it's original name. Virus Total indicated that it had been previously uploaded (as expected) and reported that 0 of the 43 AV software scanners detected it as malware (Intego is not a participant).

...and reported that 0 of the 43 AV software scanners detected it as malware (Intego is not a participant).

That's a pretty good batting average, 0 for 43!

I picked this up in the last day or two and after investigating older solutions and specifically this one, removed the environment.plist and the .so file in question. I found it in the same place (/users/shared...) but it had a differnt name than the one the op had.

It was called "WebSiteCompanion.so" and was a hidden file , I could only see it using tinker tool

It also appeared in the environment plist so i removed both and rebooted and everything seems back to normal. I don't really know anything about these types of things, but i kept the trojan file in case it's a newer or relatively unknown version (not sure with the names) so if anyone would like me to upload it to take a look it, let me know.

Yes, stick it on a media sharing site like mediafire that was done earlier in this thread. You should still look in ~/Library/LaunchAgents.

I sent the file to ClamXav with a descripton but I trashed it on my computer out of paranoia, sorry!

There doesn't seem to be anything suspicions in LaunchAgents.

I would like to know what this gives:

otool /Users/Shared/name_of_flashback_library.so -vl

Or maybe you can give me an URL to download the file.