flashback virus
I just read an article about flash player and fake upgrades that give the computer a virus called flashback. How do you know if your Mac has it?
iMac, Mac OS X (10.7), 2.5 GHz Intel Core i5 Processor
The all look like they belong.
44 replies
WZZZ, thanks so much. Thank you so much for the prompt reply as well.
Its weird several days ago I did get an update for Adobe...was that it?
Was what it?
Was that the trojan? I am assuming not since nothing came up on my computer, but I was asked for passwords for services/websites that I use typically. Just concerned that something isn't catching it (i.e. the trojan).
I just ran the same diagnostic Donald2001 did and got the same results. So I'm clear. Just curious though, has Apple put the fix in their software updates to prevent this trojan from getting on any more machines? Also, what effect does it have on infected machines? Just what does it do?
I just ran the Software Update thingy and it says I'm up to date, nothing new available.
This is a latest detect and remove
https://discussions.apple.com/docs/DOC-3271
The Apple Java update patches the vulnerabilities that were exploited; it does not remove a prior infection. However, it is reported there are several vulnerabilities in the update which are being discussed and for which code is being written and sold for further exploits.
I have no way of knowing how true this is. Whether true or not, Java will continue to be exploited and I would always keep it disabled.
ok WZZZ, here is what I got on my last line in Terminal (the other 3 were ok..they said does not exist)...
my name-imac:~ my name$ grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* /Users/myname/Library/LaunchAgents/com.macpaw.CleanMyMac.helperTool.plist:strin g>/Users/myname/.Trash</string>
obviously where I put myname it is my actual name. The other ones said does not exist but I was worried about this one. Thanks.
Melinda
oh also, I don't use Safari. I use Firefox if that makes a difference.
If you have CleanMyMac on your computer, it appears to be a legitimate file. (Did you recently uninstall it but not empty the Trash? I'm not sure I understand the reference to .Trash in the result.) But to be sure, I think you might want to wait until X4, who wrote those commands, can weigh in on this.
It was specifically because of CleanMyMac that I revised the grep to the following:
grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v "/Users/$USER/\.Trash"
This filters out the reference to .Trash and thus the confusion about CleanMyMac.
My current set of commands are:
defaults read ~/.MacOSX/environment
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info LSEnvironment
ls -la ~/Library/LaunchAgents
grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v "/Users/$USER/\.Trash"
Tossed in a Firefox test as well.
The easiest way to check if you have the flashback virus is to download and run this little app. No terminal commads required and it is done in a second. If you do not have the virus make sure and do a software update for snow leopard or lion and you are good to go.
X4, if you get a minute, just for my Unix education, can you explain why CleanMyMac was coming up with that earlier command. What about that .plist references .Trash?
The original grep was only looking for any line that contained /Users/USERNAME/.anystring in the LaunchAgents (where anystring is anything after the initial dot). Since enough users were using CleanMyMac and it's launchagent contains /Users/USERNAME/.Trash the original grep kept displaying it thus requiring explaination. The change was to pipe the output of the first grep (that the bar, "|") into another grep. That second grep explicitly looks for /Users/USERNAME/.Trash and the -v grep option says output everything except the match.
Does that hejp?
Dennis Langlois wrote:
The easiest way to check if you have the flashback virus is to download and run this little app. No terminal commads required and it is done in a second. If you do not have the virus make sure and do a software update for snow leopard or lion and you are good to go.
The trouble with that tool, as well as the all other checker appearing elsewhere (like macupdate.com) that I have looked is they keep basing what they are looking for on F_secure's Trojan-Downloader:OSX/Flashback.I and not Trojan-Downloader:OSX/Flashback.K. Thus they don't check the launchagents.
I could make a more elaborate script which just said yes or no. But that would be longer then running 4 simple commands and would would look more ominous to novice users probably making them turn to those incomplete tools and having a false sense of security.
My tests are a balance of simplicity with enough to try to detect the the most obvious indicators of the flashback trojans. It in no way addresses how to remove it if it is detected.
As an example of a full checker and removal the current trojans see etresoft's "Checking for and removing the "Flashback" trojan"
X4 you obviously are way over my head in computer programing. So basically what should I do to make sure I am flashback free if the checker tool that I ran is inadaquate.
Thank You
I'll repeat my post yet again. This time with the updated command set.
-----------
Here's what I am suggesting as a rudimentary test for (not remove) some of the known strains of the flashback trojans. Open a terminal window and copy/paste each of the following lines hitting return after each one and note the results:
defaults read ~/.MacOSX/environment
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info LSEnvironment
ls -la ~/Library/LaunchAgents
grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v "/Users/$USER/\.Trash"
For the three defaults commands if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.
The fourth command, ls, just lists the contents of your LaunchAgents, if any. That's additional info to be used in conjunction with the last grep command. If the grep displays any results then that too may indicate infection and again post its results.
For removal, the current instructions are specified at F-Secure's Trojan-Downloader:OSX/Flashback.K.
flashback virus