Q: .rserv wants to connect to cuojshtbohnt.com

tadanm256 wrote:

 

I therefore assume that if you do not reboot your computer there should be no reson for the process to be launched.

Incorrect. The process is launched every 4212 seconds by launchd. Peruse the thread, I explained it in an earlier post.

defaults read ~/.MacOSX/environment

{

    "DYLD_INSERT_LIBRARIES" = "/Users/Shared/.libgmalloc.dylib";

}

means I'm infected?

There's a 406kB .libgmalloc.dylib in the specified folder.

What exatly does this trojan? Unfortunately I installed Little Snitch few days after a strange program wants to have my password to install something. I declined, but from what I read that does not matter?!

Are we sure it is Flashback.K ?

I recall some days ago having the system asking my for administrator password.

I refused and kinda found it weird but forgot about it.

I went onto the F-secure website and did the procedure to remove the trojan/backdoor called Flashback.K. as everyone assumes it is this one.

According to the website none of the files are found, hence my computer wasnt infected.

$ defaults read /Applications/Safari.app/Contents/Info LSEnvironment

2012-04-04 15:29:50.765 defaults[7475:707]

The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

$ defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

2012-04-04 15:30:13.196 defaults[7590:707]

The domain/default pair of (/Users/user_name/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

However as the website of F-secure states (I have applications that will make it abort instalation : i.e. skype, word etc.)

Do you think change of ALL passwords are necessary ( I might have tens of password to change then, emails, banks, computer passwords, all website passwords visited from 29th march...) ?

What about the rollback using time-machine ? Is it needed ?

Especially if it seems that I havent been infected.

As to f-secure, there are 2 ways:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

What's the difference between these infections?

Isn't it strange that the VXVHWCIXCXQXD.COM got registered at 3.3.2012 but the infection was about 25th of march?

Matt Durben wrote:

 

As to f-secure, there are 2 ways:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

 

What's the difference between these infections?

From what I understand, the virus can install itself in 2 ways depending on the user input:

if you enter your main password when the virus asks for it it will install (in/through) safari

if you refuse to enter your password, the virus will install in OSX/environment.

What I find strange is why would a virus refuse to install and self delete if it finds microsoft office or word or skype installed already on the computer. Why would it want to do this ??

Ok, I didn't entered my pw and found in the osx environment.

lytic wrote:

 

Probably Little Snitch installed not in root. Do you have directory /Library/Little Snitch ?

Yes, I have that directory.

Definitely firstmn-army.com redirects to gangstasparadise.rr.nu, but can't understand how it relates to dlink.com.

Could be totally unrelated.  Just wondering if that's where I first picked-up the virus.  You would have to visit a website with an infected Java Applet to get it, right?  I realize now I shouldn't have pasted links, I was just thinking it could help track down the offending code.  I don't see a way to edit previous posts, but let me know if there is.

Thanks for the shout out, MadMacs0! I'm from the Intego research lab.

With the latest variant, the malicious file is in the $HOME user's folder if you don't enter the Administrator password.  Previous variants are found in /Users/Shared/.libgmalloc.dylib.

The most recent variant of Flashback should be completely detected and cleaned with the latest virus definitions for VirusBarrier. But as you have all noted, this is being updated on a very frequent basis. If any of you are seeing something which you suspect is a new variant, please send us a sample (in a ZIP if possible) to sample@virusbarrier.com or upload it to www.virustotal.com as you said earlier in the thread.

Matt Durben wrote:

 

Isn't it strange that the VXVHWCIXCXQXD.COM got registered at 3.3.2012 but the infection was about 25th of march?

No, they've been moving the server around as well as changing the url periodically.

tadanm256 wrote:

 

What I find strange is why would a virus refuse to install and self delete if it finds microsoft office or word or skype installed already on the computer. Why would it want to do this ??

To avoid detection. It knows that if it installs a Type 2 Infection those applications will crash and alert you that something is wrong. They need for it to avoid detection for an extended period in order to harvest as many username/password from the infected user as possible.

1. I thought Creation Date: 03-apr-2012 means first registered date ever. And there's no history but this entry.

2. Does the trojan itself changes the url it connects to? Or does it come with one fixed url?

On Saturday evening somehow I was redirected to the "gangstasparadise.rr.nu/2f/" URL someone else mentioned earlier in the thread. I did not provide my admin password. Since then Little Snitch has been telling me about ".rserv" trying to connect to "cuojshtbohnt.com".

For me the culprit plist in LaunchAgents was called "com.adobe.reader.plist". After going through the process outlined at f-secure (http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml), I only have those two files (the plist and .rserv). I've gotten rid of both.

I never allowed .rserv to connect, so I'm wondering if I'm still at risk. Unfortunately I don't have Timemachine running so I can't go back to before this all started, and I'm trying to avoid having to resintall everything. I've since changed my admin password and any password I may have entered since I got infected. Will this suffice? Or do we not know enough about this to know for sure?

P.S. Thanks to everyone who has contributed to the thread. It's been very helpful.

As for the strange nonsense urls: I let wireshark run and got answer from my isp's dns (the one that response when url's don't resolve).

Hypertext Transfer Protocol

    GET /contacts.txt HTTP/1.1\r\n

        [Expert Info (Chat/Sequence): GET /contacts.txt HTTP/1.1\r\n]

            [Message: GET /contacts.txt HTTP/1.1\r\n]

            [Severity level: Chat]

            [Group: Sequence]

        Request Method: GET

        Request URI: /contacts.txt

        Request Version: HTTP/1.1

    Host: vxvhwcixcxqxd.com\r\n

    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:1; id:xxx(by author) Gecko/20100101 Firefox/9.0.1\r\n

    Connection: close\r\n

    \r\n

    [Full request URI: http://vxvhwcixcxqxd.com/contacts.txt]

Compromised files I found (so far):

/Users/%Your_Username%

.smgr (connects to nonsense url's)

.srwl (asks for pw)

.png (comes with .srwl)

/Users/%Your_Username%/Library/LaunchAgents

com.apple.manager.plist (starts .smgr)

/Users/%Your_Username%/Library

.whatever.tmp

/Users/Shared

.libgmalloc.dylib