gusperik wrote:
Cant find a single note, googling on how to search for the trojan if youre using chrome, so i turn this way to ask the pros (?) how to deal with this.
Well, I'm not a "pro", or even a "pro (?)", but I'll take a bite.
What this strain of Flashback does, in this instance, is change a specific key in an application bundle's configuration file. The key is LSEnvironment (LS = Launch Services), and it defines environment variables to be set before launching the application. The altered key tells LS to load a shared code library in the app's virtual memory space prior to launching the app.
All Mac OS X application bundles have this configuration file, so the method is not specific to any app. Most configuration files do not contain this key, but some do (eg, iTunes, GarageBand), so the presence of the key, in itself, is not diagnostic. What is significant is:
(a) The presence of the LSEnvironment key in configuration files of apps which normally do not have it (eg, Safari);
(b) Its content, ie, the instruction to load the shared code library, for apps which normally do not have it;
(c) The shared code library's name and location.
Therefore, to check Chrome, all you need to do is simply to change the path specified in the defaults command from Safari to Chrome. Assuming Chrome is in its default location, ie, </Applications>, first, we do
$ defaults read /Applications/Google\ Chrome.app/Contents/Info
This should return the entire contents of the configuration file, and we do it only to make sure we have the right path. If we type the correct command and it returns an error message, either Chrome is not installed, or it's in a different location.
If we have the right path, then we check the content of the LSEnvironment key
$ defaults read /Applications/Google\ Chrome.app/Contents/Info LSEnvironment
Chrome doesn't use this key, so the reply should be
The domain/default pair of (/Applications/Google Chrome.app/Contents/Info, LSEnvironment) does not exist
For Chrome (but not necessarily for other apps), anything else means something is not quite right; if it contains the string "DYLD", then it's serious, because it calls the dynamic loader, which is responsible for loading the shared code library. In the case of Chrome, it probably indicates the presence of the Trojan (but, so far, I'm not aware of any report of Flashback targeting Chrome).
Clear as mud?