.rserv wants to connect to cuojshtbohnt.com

That does not ring a bell. For now, I'll just delete the .rserv file. It never got through Little Snitch (thank you, Little Snitch). Not sure what would have happened if it had connected. And Find Any File found it right away.

Thanks, everyone, for your help!

bgw1 wrote:

There is no Adobe .plist file at the locations you asked about. […]

Did you see my earlier post that I found the .rsvr file, it's 59.9K […]

If the file you found is named ".rsvr", not ".rserv", then, as I believe X423424X said, it could be a different matter. It also could be the same malware, but not necessarily implemented in the same way. We do know that, with this threat, file names vary.

Likewise with the plist. If it's there, the plist itself may be named something else. trungson showed how to look for it with grep. If the malware file is ".rsvr", then it's

$ grep -r 'rsvr' ~/Library/LaunchAgents/

(where $ is your prompt).

fane_j wrote:

The plist has nothing to do with Adobe Reader. The Label key is a unique identifier, required by launchd to keep track of agents. But it can be any string. If launchd's database is case-sensitive, and the Adobe Reader identifier is, as I suspect, com.adobe.Reader, then it's enough.

The CFBundleIdentifier for Adobe reader is indeed com.adobe.Reader.

As to how it was installed… My bet would still be CVE-2011-3544.

Yes, but who installed it? I can't believe it is a apple security update. But since I use 10.6.5 and don't have any security updates beyond that I don't know for sure (10.6.5 because the app store started in 10.6.6 -- another process that calls home without my permission, don't know when, don't know what it sends, possibly can bypass LS during boot time, back to apple, my same paranoiac philosophy).

No, it's one file, .rserv. The other one was a typo once when referring to it.

I ran the grep command and DID get the adobe reader .plist results. There is the reference to .rserv buried right in the middle of it!

Eirs-MacBook:~ EirUser$ grep -r 'rserv' ~/Library/LaunchAgents/

/Users/EirUser/Library/LaunchAgents/com.adobe.reader.plist:<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Label</key><string>com.adobe.reader</string><key>Progr amArguments</key><array><string>/Users/EirUser/.rserv</string></array><key>RunAtLoad</key><true/><key>StartInterval</key><integer>421 2</integer><key>StandardErrorPath</key><string>/dev/null</string><key>StandardOu tPath</key><string>/dev/null</string></dict></plist>

Eirs-MacBook:~ EirUser$

You said you didn't have that launchagent! That's what set of the wild goose chase.😠

My apologies. The request was for these three, and they only exist in the top level Library. My answer was for these:

/Library/LaunchAgents

/Library/LauncDaemons

/Library/StartupItems

In addition, I was a little blind-sided because Adobe Reader is not on my machine so I wasn't really looking for that file.

Anyway, after you asked me to grep for .rsev, I did find the Adobe Reader .plist file. I had to go into Onyx to turn on hidden files in order to browse the Usrs /Library and look for the arrival date of the file in Time Machine.

The file showed up on Friday, March 30 according to Time Machine. It was not on the machine before that.

X423424X wrote:

who installed it?

A Java applet would be my guess. As it's in the user's home directory, no special permissions or authentication would be required.

Talking of Java. Everyone, would you check your version

$ java -version

The latest SL should be

java version "1.6.0_29"

in which this vulnerability was supposed to have been fixed.

Also, could you check the Java (not JavaScript, which is a different beast) settings in all your browsers?

In Safari, it's Safari > Preferences > Security > Web Content > Enable Java

I found some additional details from "Applications/Utilities/Console" under "All Messages", around the time the file was created. It does look like it's with Java (CVE-2011-3544) as suggested.

I have Mac 10.6.8, Java is from Apple 1.6.0_29 (don't think I can upgrade to 1.7 since it's Apple's Java). I just disabled Java in the browsers (Firefox, Chrome, Safari) but still don't know where I got infected from and if it accessed/downloaded anything and how to really fix this.

bgw1 wrote:

My apologies. The request was for these three, and they only exist in the top level Library. My answer was for these:

The link I pointed (here's that link again) at in my above post explicitly said right at the beginning:

In ~/Library/LaunchAgents/, there is only Little Snitch and Splashtop.

At any rate trash the thing and be done with it. Or leave it in or block or not block with Little Snitch. Your decision.

Personally, I would trash it.

Seems to be the right version.

Eirs-MacBook:~ EirUser$ java -version

java version "1.6.0_29"

Java(TM) SE Runtime Environment (build 1.6.0_29-b11-402-11D50b)

Java HotSpot(TM) 64-Bit Server VM (build 20.4-b02-402, mixed mode)

Eirs-MacBook:~ EirUser$

It is enabled in Safari Preferences.

What about Chrome?

FWIW, I used FindAnyFile application to find and delete .rserv. I also deleted the com.adobe.reader.plist.

As for how to prevent another infection, I don't know the answer to that, but I will definitely keep Little Snitch running to prevent it from calling home.

Thanks everyone for your help.

trungson wrote:

I found some additional details from "Applications/Utilities/Console" under "All Messages", around the time the file was created. […]

I have Mac 10.6.8, Java is from Apple 1.6.0_29 […]

Good work, but bad news. CVE-2011-3544 was supposed to have been fixed after update 27, so either it hasn't been really fixed, or they use another vulnerability. IMHO, that's serious stuff, and I'm considering whether or not I should remove Java altogether.

bgw1 wrote:

It is enabled in Safari Preferences.

What about Chrome?

Disable it in Safari right away. I don't know about Chrome, but check this

<http://www.maclife.com/article/howtos/how_disable_java_your_mac_web_browser>

I agree that it is a bit worrisome since it might be a new variant. The hexdump plaintext for .rserv is here:

http://pastebin.com/TVkbfYSn

As was brought up by an earlier poster, this is an evolution of Flashback. Anyone who has been evidence of .rserv on their system, or other concern for being infected, should review http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml or similar.