.rserv wants to connect to cuojshtbohnt.com

Little Snitch: .null wants to connect to vxvhwcixcxqxd.com

I have recieved this prompt as I am sure others have as well. I do remember the onscreen window that

F-Secure has in there detailed discription of the Flashback variant, while surfing the web, that prompted me to insert my password, I of course did not.

I would like to post the 4 steps that I have taken in terminal to remove the .null file as instructed by F-Secure and would appreciate any feedback.

1. ls -lA ~/Library/LaunchAgents

-rw-r--r-- 1 "myname" staff 484 28 Mar 22:39 null.plist

2. defaults read ~/Library/LaunchAgents/null ProgramArguments

(

"/Users/"myname"/.null"

)

3. rm -R /Users/"myname"/.null

4. delete null.plist

I have run all the necessary steps that F-Secure has posted for manual removal of Flashback.K, I, C, B, and A. I have only received error messages that F-Secure instructs is an indication that the system is already clean of the variant.

Thanks to all in advance.

WZZZ wrote:

Mad, I've asked you this in the Leopard forum already

Answered in that forum.

If not, do you know -- or anyone else, maybe -- if Intego's VirusBarrier X6, the demo version, will scan properly for this? I know they are claiming the full version, at least, can.

I do not. I seem to remember that there are limitations to some of the free / demo versions out there (like not getting timely updates) but I don't really know about VB X6. I have the full version (came with a bundle of software), but have not activated it yet.

WZZZ wrote:

If not, do you know -- or anyone else, maybe -- if Intego's VirusBarrier X6, the demo version, will scan properly for this? I know they are claiming the full version, at least, can.

If F-Secure's info is right, a scan may not be necessary since the trojan-downloader component of the recent variants self destructs if it detects /Applications/VirusBarrier X6.app.

And FWIW, this April 3 Sophos blog post claims that Sophos security products (including the free one for Mac home users) has been detecting the components of the malware for some time.

R C-R wrote:

WZZZ wrote:

If not, do you know -- or anyone else, maybe -- if Intego's VirusBarrier X6, the demo version, will scan properly for this? I know they are claiming the full version, at least, can.

If F-Secure's info is right, a scan may not be necessary since the trojan-downloader component of the recent variants self destructs if it detects /Applications/VirusBarrier X6.app.

I understood WZZZ to be looking for a post infection scanner to check for the Trojan itself.

RC-R: just seconds before I saw your post, I saw that on the Sophos forum. Thanks. And, yes, MadMacs0 is right. A post-infection scanner is needed.

Well I have been reading many post for the last few days. And I strongly believe that the creators of this trojan have developed it in way that it morphs into different .filenames (invisible) depending on what apps you have opened.

I began to first suspect something strange when VirtualBox crashed my system (kernel Panic) on me several times over the weekend. Something it has never done in the past. Sometime later maybe later in the day I began to get LittleSnitch warnings about a file .mkeeper in my ~myuser directory created April 1 2012. I was suspicious about its creation date as I downloaded mackeeper several weeks ago from the developers site and installed it but had stop using it altogether.

Nonetheless this .mkeeper file connection warning kept coming up. I did not authorize littlesnitch access to the cuojshtbohnt site and began Googling. Only found one or two pages mentioning but nothing conclusive. about the file .mkeeper. The only discussions I found were on .rserv. Unlike today where more pages are surfacing.

Well turns out this file was a flashback trojan and, though i didnt have any other files in my ~/Library/LaunchAgents/ or elsewhere as indicated by fsecure I dont think I was fully infected. Perhaps because Littlesnitch prevented the connection. Incidently I do have SKYPE installed but not MSOffice

I tried opening the .mkeeper file a (a unix executable file) and found it must have been a binary file as there was little text I could really make out. Well long story I downloaded an antivirus trial version and ran it on my system and it flagged the .mkeeper as a flashback trojan and also flagged two mackeeper files both .plist types if I can remember correctly something to the effect of zeobyte.plist and mackeeper.plst

I believe I may have gotten it from an off-off the wall torrent site I may have visited which later attacked mackeeper app. So therefore I strongly suggest that you be cynical and dont allow yourself to believe that this trojan has one identity or goes by one name. My regret is that I trashed the files. i should have kept the files to have them dissected.

Well hope this can help shed some light. I have been a mac user for over 25 years and never had antivirus or any virus issues on ny of my macs. I am just upset that APPLE has taken a leisurely approach at this, especially since this threat was first reported back in February.

WZZZ wrote:

RC-R: just seconds before I saw your post, I saw that on the Sophos forum. Thanks. And, yes, MadMacs0 is right. A post-infection scanner is needed.

Here's what I've been currently posting when I reply to one of those "have I been infected" threads:

Here's what I am suggesting as a rudimentary test for some of the known strains of the flashback trojans. Open a terminal window and copy/paste each of the following lines hitting return after each one and note the results:

defaults read ~/.MacOSX/environment

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

ls -la ~/Library/LaunchAgents

grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*

For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.

The third command, ls, just lists the contents of your LaunchAgents, if any. That's additional info to be used in conjunction with the last grep command. If the grep shows any results then that too may indicate infection and again post its results.

I don't have confidence in the safari test. But that's the one floating around so I threw it in.

Thanks, I've given him the latest, grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* to try. (That's meant to show any dot files in there?) He's run all the others by now, including the one for Firefox and, since I think he sometimes uses Chrome, that as well.

Little Snitch informed me that ~/.flserv want's to connect to vxvhwcixcxqxd.com and krymbrjasnof.com.

~/.flserv is started by ~/Library/LaunchAgents/com.adobe.flp.plist on my mac.

grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* shows the following result:

/Users/marco/Library/LaunchAgents/com.adobe.flp.plist:<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Label</key><string>com.adobe.flp</string><key>ProgramA rguments</key><array><string>/Users/marco/.flserv</string></array><key>RunAtLoad </key><true/><key>StartInterval</key><integer>4212</integer><key>StandardErrorPa th</key><string>/dev/null</string><key>StandardOutPath</key><string>/dev/null</s tring></dict></plist>

I'm not shure if i allowed any suspicious connection in the last days, nor do i remember providing my admin password to any suspicious installer - but the timestamp shows that it's been there since March, 30.

Both F-Secure tests are ambiguous in my opinion. Since steps 3 and 8 result in "...does not exist" inexperienced users might think they are not infected.

I deleted both ~/Library/LaunchAgents/com.adobe.flp.plist and ~/.flserv

Hopefully this is enough.

Thanks for the advice MadMacs0. I was definitely infected but the only extra file I found was titled null.plist located in my LaunchAgents folder. I used Time Machine to restore my system to before the virus appeared. This was actually a perfect solution as Microsoft Office had not been functioning since one of the last security updates (I assume it was the update due to the timing) and is now back to normal.

Dear Mac OS user,

Check now wether your Mac is infected by Backdoor.Flashback.39!

Submit your Mac UUID to this Express-check form.

Doctor Web will check if there was a connection from your computer to the botnet control server.

http://public.dev.drweb.com/april/

Marco g wrote:

I deleted both ~/Library/LaunchAgents/com.adobe.flp.plist and ~/.flserv

Hopefully this is enough.

I hope it is. But this identical thing is going on in another thread but there the name is .reserv instead of .flserv. I posted instructions on removal which are of course delete both those files. But I also requested there to do one check on the dot file just to see if it is referencing other stuff. Based on what f-secure has been doing with previous strains that would translate here to:

grep -a -o '__ldpath__[ -~]*' ~/.flserv

Since I don't have these files I'm just curious to see if the grep yields anything interesting, or anything at all for that matter.

WZZZ wrote:

Thanks, I've given him the latest, grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* to try. (That's meant to show any dot files in there?)

It's meant to show any launchagent that contains the string "/Users/USERNAME/.filename" in the launchagents, not all dot filenames. Initially I was more general in the search because I didn't want to restrict it to just dot filenames. But that was too general since it would find every launchagent that referenced the user's account. So I changed it to the current search.

If I get obsessive about this even the current grep is "perfect". A user in the other thread uses CleanMyMac and its launchagent references /Users/USERNAME/.Trash. So were do I draw the line?

Hi X423424X, thanks for the advice. Since i already deleted ~/.flserv its hard to tell. I recovered it from my backup to run grep -a -o '__ldpath__[ -~]*' ~/.flserv, but there are no results.

However, if i view ~/.flserv, there are many references to other files.

If anybody is interested, i renamed it to "flserv" uploaded it to this location: https://www.yousendit.com/download/M3BubUpjcklsUi9MYnNUQw

Thank you for doing that. Don't have time to look at it right now (on my way out) but I downloaded it to see what I can see later.