Previous 1 2 Next 24 Replies Latest reply: Apr 8, 2012 12:17 PM by nerowolfe
madjikphotos Level 1 (0 points)

How to find out if you are affected by this new malware virus?

Mac OS X (10.7.3)
  • leroydouglas Level 6 (17,015 points)

    You can  see if your machine is affected by opening up the and copy & paste:


    defaults read /Applications/ LSEnvironment


    If you get the message “The domain/default pair of (/Applications/, LSEnvironment) does not exist”,



    you must then copy & paste:


    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES


    If you get the message :

    ”The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”,


    Basically, the “does not exist” message means you’re clean, and Mac is safe.


    If you see anything other than those messages, you can check out F-Secure’s guide to removing the Flashback trojan.

  • flac124 Level 1 (0 points)

    When I run the Terminal command lines I come out clean.


    However when I run ClamXav it's showing that I have a 'OSX.Flashback-8' Infection.


    What should I do?


  • Topher Kessler Level 6 (9,865 points)

    Does it say what files are part of the infection? If so, then what are they?


    This variant of the malware uses a file called .libgmalloc.dylib that's in the /Users/Shared/ directory. You can remove this by opening the Terminal (in the /Applications/Utilities/ folder) and running the following command (provide your password when prompted):


    sudo rm /Users/Shared/.libgmalloc.dylib

  • flac124 Level 1 (0 points)

    Other then noting it as '.rserv', no it didn't detail any files. ClamXav dedected it as soon as I began the scan.


    Something called .rserv wanted to connect to my mac a few days ago which I denied via Little Snitch. I suspect this is the source of my issue.


    I just installed Apple's 2nd 'Java for OS X 2012-002' update. Restarted and ran Terminal and have scanned twice with ClamXav and everything came back clean.


    I also don't see any .libgmalloc.dylib in the /Users/Shared/ directory (showing hidden files).


    Am I in the clear now? Given what I've read on this issue, I plan on changing all my passwords regardless.




  • Topher Kessler Level 6 (9,865 points)

    It sounds like you are in the clear. Do you have ClamXav set to remove, quarantine, or otherwise automatically handle malicious files?

  • X423424X Level 6 (14,215 points)

    flac124 wrote:


    Other then noting it as '.rserv', no it didn't detail any files. ClamXav dedected it as soon as I began the scan.


    If Little Snitch (or ClamXav) is detecting this then you have another variant of the trojan.  I don't know why this is being ignored by the various articles on the flashback trojans (ClamXav detecting is a surprise to me).  Maybe because it is the newest of the bunch and possibly done by another group distinct from the previous flashback trojans.  Unlike the previous flashback strains this one is rather brain dead.  It makes no attempt to detect if tools like Little Snitch are installed (which is why LS detects it).  It installs a user LaunchAgent to spawn the code that LS is detecting (.rserv in this case but that is only one of many names it may use).


    For the sake of completeness below is what I am suggesting as a rudimentary test for some of the known strains of the flashback trojans including this new one.  Open a terminal window and copy/paste each of the following lines hitting return after each one and note the results:


    defaults read ~/.MacOSX/environment

    defaults read /Applications/ LSEnvironment

    ls -la ~/Library/LaunchAgents

    grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*


    For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.


    The third and fourth commands are for the newer strain.  The third command, ls, just lists the contents of your LaunchAgents, if any.  That's additional info to be used in conjunction with the last grep command.  If the grep shows any results then that too may indicate infection and again post its results.  It should show the pathname to the spawned code (probably /Users/YOURACCOUNT/.rserv in this case).




    Here's the ever growing thread where this new variant was first discussed.


    .rserv wants to connect to

  • Topher Kessler Level 6 (9,865 points)

    The .rserv file connecing "to" your mac doesnt make much sense, but if it is on your mac and trying to connect to remote servers then that is of concern. A number of people are finding it to be a potentially malicious program, and as X423424X suggested you should run the Terminal commands he mentioned to see what the output is (and continue to block the connection efforts).

  • flac124 Level 1 (0 points)

    The first two command lines came back 'does not exist'.


    The last two resulted in the following:




    Josephs-MacBook-Pro:~ flac124$ ls -la ~/Library/LaunchAgents

    total 64

    drwx------  10 flac124  staff   340 Mar 31 16:28 .

    drwx------@ 52 flac124  staff  1768 Jan 28 22:47 ..

    -rw-r--r--   1 flac124  staff   697 Nov 13 20:15 com.adobe.AAM.Updater-1.0.plist

    -rw-r--r--@  1 flac124  staff   492 Mar 31 16:28 com.adobe.reader.plist

    -rw-r--r--   1 flac124  staff   618 Jan 28 22:48 3C71CF87C1.plist

    -rw-r--r--   1 flac124  staff   892 Nov 13 16:30

    -rw-r--r--   1 flac124  staff   544 Jan  5 21:54 com.macpaw.CleanMyMac.helperTool.plist

    -rw-r--r--   1 flac124  staff   554 Jan  5 21:54 com.macpaw.CleanMyMac.trashSizeWatcher.plist

    -rw-r--r--   1 flac124  staff   599 Jan  5 21:54 com.macpaw.CleanMyMac.volumeWatcher.plist

    -rw-r--r--@  1 flac124  staff   544 Mar 25 23:51 ws.agile.1PasswordAgent.plist

    Josephs-MacBook-Pro:~ flac124$

    Josephs-MacBook-Pro:~ flac124$ grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*/Users/flac124/Library/LaunchAgents/ ist:<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" ""><plist version="1.0"><dict><key>Label</key><string>com.adobe.reader</string><key>Progr amArguments</key><array><string>/Users/flac124/.rserv</string></array><key>RunAt Load</key><true/><key>StartInterval</key><integer>4212</integer><key>StandardErr orPath</key><string>/dev/null</string><key>StandardOutPath</key><string>/dev/nul l</string></dict></plist>

    /Users/flac124/Library/LaunchAgents/com.macpaw.CleanMyMac.helperTool.plist:    <string>/Users/flac124/.Trash</string>

    Josephs-MacBook-Pro:~ flac124$

    Josephs-MacBook-Pro:~ flac124$

  • X423424X Level 6 (14,215 points)

    This is not flashback.K.  Appararently this one hasn't been named yet or I haven't spotted f-secure mentioning it yet.


    I give some instructions to remove the known stuff below.  But since I don't have a copy of .reserv I don't know if any more needs to be removed because I don't know what .reserv is referencing if anything.  Thus the deletes may cut the head of the beast but it is possible something remaining might still be alive.  To aid with that before removing the obvious files please do me a favor and do the (copy/paste) the following in terminal and post the results (if any):


    grep -a -o '__ldpath__[ -~]*' ~/.rserv


    Thanks in advance.


    To delete the obvious files, in terminal, copy/paste (do not type) the following line:


    rm -rf ~/.rserv ~/Library/LaunchAgents/com.adobe.reader.plist


    That will remove the .rserv and launchagent.  Then log out and log back in because the com.adobe.reader.plist is on a 70 minute cycle (that's the 4212 you see in there).  Logging out and logging in will cause the launchagents to reload and now com.adobe.reader.plist will no longer be active.

  • etresoft Level 7 (27,410 points)

    madjikphotos wrote:


    How to find out if you are affected by this new malware virus?

    Go to:


    If it says:

    Mac Users: Choose the Software Update item on the Apple menu to check that you have the most up-to-date version of Java on your Mac.


    then you don't even have Java installed and you are fine. Don't worry about it. If you ever do need Java in the future (hopefully never), you will get the latest version at that time.

  • Marco g Level 1 (5 points)

    I posted this in another threat, if anybody is interested:


    Little Snitch informed me that ~/.flserv want's to connect to and


    ~/.flserv is started by ~/Library/LaunchAgents/com.adobe.flp.plist on my mac.


    grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* shows the following result:

    /Users/marco/Library/LaunchAgents/com.adobe.flp.plist:<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" ""><plist version="1.0"><dict><key>Label</key><string>com.adobe.flp</string><key>ProgramA rguments</key><array><string>/Users/marco/.flserv</string></array><key>RunAtLoa d </key><true/><key>StartInterval</key><integer>4212</integer><key>StandardErrorP a th</key><string>/dev/null</string><key>StandardOutPath</key><string>/dev/null</ s tring></dict></plist>


    I'm not shure if i allowed any suspicious connection in the last days, nor do i remember providing my admin password to any suspicious installer - but the timestamp shows that it's been there since March, 30.


    Both F-Secure tests are ambiguous in my opinion. Since steps 3 and 8 result in "...does not exist" inexperienced users might think they are not infected.


    I deleted both ~/Library/LaunchAgents/com.adobe.flp.plist and ~/.flserv


    Hopefully this is enough.

  • etresoft Level 7 (27,410 points)

    Marco g wrote:


    I posted this in another threat, if anybody is interested:

    Another threat? A little Freudian slip there, eh?


    Little Snitch informed me that ~/.flserv want's to connect to and

    Excellent program that one.


    I deleted both ~/Library/LaunchAgents/com.adobe.flp.plist and ~/.flserv

    Also delete any environment file with:

    rm ~/.MacOSX/environment.plist


    Hopefully this is enough.

    Log out and log back in.

  • stevejobsfan0123 Level 8 (39,765 points)

    I actually heard that the trojan will check for programs like Little Snitch, and delete itself if any of these are found to prevent it from being detected (I think I read that on Cnet). True?

Previous 1 2 Next