how to find if you are affected by a malware program?

You can see if your machine is affected by opening up the Terminal.app and copy & paste:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

If you get the message “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”,

you must then copy & paste:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If you get the message :

”The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”,

Basically, the “does not exist” message means you’re clean, and Mac is safe.

If you see anything other than those messages, you can check out F-Secure’s guide to removing the Flashback trojan.

When I run the Terminal command lines I come out clean.

However when I run ClamXav it's showing that I have a 'OSX.Flashback-8' Infection.

What should I do?

Does it say what files are part of the infection? If so, then what are they?

This variant of the malware uses a file called .libgmalloc.dylib that's in the /Users/Shared/ directory. You can remove this by opening the Terminal (in the /Applications/Utilities/ folder) and running the following command (provide your password when prompted):

sudo rm /Users/Shared/.libgmalloc.dylib

Other then noting it as '.rserv', no it didn't detail any files. ClamXav dedected it as soon as I began the scan.

Something called .rserv wanted to connect to my mac a few days ago which I denied via Little Snitch. I suspect this is the source of my issue.

I just installed Apple's 2nd 'Java for OS X 2012-002' update. Restarted and ran Terminal and have scanned twice with ClamXav and everything came back clean.

I also don't see any .libgmalloc.dylib in the /Users/Shared/ directory (showing hidden files).

Am I in the clear now? Given what I've read on this issue, I plan on changing all my passwords regardless.

It sounds like you are in the clear. Do you have ClamXav set to remove, quarantine, or otherwise automatically handle malicious files?

flac124 wrote:

Other then noting it as '.rserv', no it didn't detail any files. ClamXav dedected it as soon as I began the scan.

If Little Snitch (or ClamXav) is detecting this then you have another variant of the trojan. I don't know why this is being ignored by the various articles on the flashback trojans (ClamXav detecting is a surprise to me). Maybe because it is the newest of the bunch and possibly done by another group distinct from the previous flashback trojans. Unlike the previous flashback strains this one is rather brain dead. It makes no attempt to detect if tools like Little Snitch are installed (which is why LS detects it). It installs a user LaunchAgent to spawn the code that LS is detecting (.rserv in this case but that is only one of many names it may use).

For the sake of completeness below is what I am suggesting as a rudimentary test for some of the known strains of the flashback trojans including this new one. Open a terminal window and copy/paste each of the following lines hitting return after each one and note the results:

defaults read ~/.MacOSX/environment

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

ls -la ~/Library/LaunchAgents

grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*

For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.

The third and fourth commands are for the newer strain. The third command, ls, just lists the contents of your LaunchAgents, if any. That's additional info to be used in conjunction with the last grep command. If the grep shows any results then that too may indicate infection and again post its results. It should show the pathname to the spawned code (probably /Users/YOURACCOUNT/.rserv in this case).

----

Here's the ever growing thread where this new variant was first discussed.

.rserv wants to connect to cuojshtbohnt.com

The .rserv file connecing "to" your mac doesnt make much sense, but if it is on your mac and trying to connect to remote servers then that is of concern. A number of people are finding it to be a potentially malicious program, and as X423424X suggested you should run the Terminal commands he mentioned to see what the output is (and continue to block the connection efforts).

The first two command lines came back 'does not exist'.

The last two resulted in the following:

Josephs-MacBook-Pro:~ flac124$ ls -la ~/Library/LaunchAgents

total 64

drwx------ 10 flac124 staff 340 Mar 31 16:28 .

drwx------@ 52 flac124 staff 1768 Jan 28 22:47 ..

-rw-r--r-- 1 flac124 staff 697 Nov 13 20:15 com.adobe.AAM.Updater-1.0.plist

-rw-r--r--@ 1 flac124 staff 492 Mar 31 16:28 com.adobe.reader.plist

-rw-r--r-- 1 flac124 staff 618 Jan 28 22:48 com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.81A53C77-3978-4E1B-A73F-67 3C71CF87C1.plist

-rw-r--r-- 1 flac124 staff 892 Nov 13 16:30 com.apple.CSConfigDotMacCert-flac124@me.com-SharedServices.Agent.plist

-rw-r--r-- 1 flac124 staff 544 Jan 5 21:54 com.macpaw.CleanMyMac.helperTool.plist

-rw-r--r-- 1 flac124 staff 554 Jan 5 21:54 com.macpaw.CleanMyMac.trashSizeWatcher.plist

-rw-r--r-- 1 flac124 staff 599 Jan 5 21:54 com.macpaw.CleanMyMac.volumeWatcher.plist

-rw-r--r--@ 1 flac124 staff 544 Mar 25 23:51 ws.agile.1PasswordAgent.plist

Josephs-MacBook-Pro:~ flac124$

Josephs-MacBook-Pro:~ flac124$ grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*/Users/flac124/Library/LaunchAgents/com.adobe.reader.pl ist:<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Label</key><string>com.adobe.reader</string><key>Progr amArguments</key><array><string>/Users/flac124/.rserv</string></array><key>RunAt Load</key><true/><key>StartInterval</key><integer>4212</integer><key>StandardErr orPath</key><string>/dev/null</string><key>StandardOutPath</key><string>/dev/nul l</string></dict></plist>

/Users/flac124/Library/LaunchAgents/com.macpaw.CleanMyMac.helperTool.plist: <string>/Users/flac124/.Trash</string>

Josephs-MacBook-Pro:~ flac124$

Josephs-MacBook-Pro:~ flac124$

Go to this site and follow the instructions:

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

This is not flashback.K. Appararently this one hasn't been named yet or I haven't spotted f-secure mentioning it yet.

I give some instructions to remove the known stuff below. But since I don't have a copy of .reserv I don't know if any more needs to be removed because I don't know what .reserv is referencing if anything. Thus the deletes may cut the head of the beast but it is possible something remaining might still be alive. To aid with that before removing the obvious files please do me a favor and do the (copy/paste) the following in terminal and post the results (if any):

grep -a -o '__ldpath__[ -~]*' ~/.rserv

Thanks in advance.

To delete the obvious files, in terminal, copy/paste (do not type) the following line:

rm -rf ~/.rserv ~/Library/LaunchAgents/com.adobe.reader.plist

That will remove the .rserv and launchagent. Then log out and log back in because the com.adobe.reader.plist is on a 70 minute cycle (that's the 4212 you see in there). Logging out and logging in will cause the launchagents to reload and now com.adobe.reader.plist will no longer be active.

madjikphotos wrote:

How to find out if you are affected by this new malware virus?

Go to: http://www.java.com/en/download/testjava.jsp

If it says:

Mac Users: Choose the Software Update item on the Apple menu to check that you have the most up-to-date version of Java on your Mac.

then you don't even have Java installed and you are fine. Don't worry about it. If you ever do need Java in the future (hopefully never), you will get the latest version at that time.

I posted this in another threat, if anybody is interested:

Little Snitch informed me that ~/.flserv want's to connect to vxvhwcixcxqxd.com and krymbrjasnof.com.

~/.flserv is started by ~/Library/LaunchAgents/com.adobe.flp.plist on my mac.

grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* shows the following result:

/Users/marco/Library/LaunchAgents/com.adobe.flp.plist:<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Label</key><string>com.adobe.flp</string><key>ProgramA rguments</key><array><string>/Users/marco/.flserv</string></array><key>RunAtLoa d </key><true/><key>StartInterval</key><integer>4212</integer><key>StandardErrorP a th</key><string>/dev/null</string><key>StandardOutPath</key><string>/dev/null</ s tring></dict></plist>

I'm not shure if i allowed any suspicious connection in the last days, nor do i remember providing my admin password to any suspicious installer - but the timestamp shows that it's been there since March, 30.

Both F-Secure tests are ambiguous in my opinion. Since steps 3 and 8 result in "...does not exist" inexperienced users might think they are not infected.

I deleted both ~/Library/LaunchAgents/com.adobe.flp.plist and ~/.flserv

Hopefully this is enough.

Marco g wrote:

I posted this in another threat, if anybody is interested:

Another threat? A little Freudian slip there, eh? 🙂

Little Snitch informed me that ~/.flserv want's to connect to vxvhwcixcxqxd.com and krymbrjasnof.com.

Excellent program that one.

I deleted both ~/Library/LaunchAgents/com.adobe.flp.plist and ~/.flserv

Also delete any environment file with:

rm ~/.MacOSX/environment.plist

Hopefully this is enough.

Log out and log back in.

I actually heard that the trojan will check for programs like Little Snitch, and delete itself if any of these are found to prevent it from being detected (I think I read that on Cnet). True?

etresoft wrote:

Marco g wrote:

I posted this in another threat, if anybody is interested:

Another threat? A little Freudian slip there, eh? 🙂

Seems to be a lot of that going around these days. I just accused another user of the exact same thing.😀

stevejobsfan0123 wrote:

I actually heard that the trojan will check for programs like Little Snitch, and delete itself if any of these are found to prevent it from being detected (I think I read that on Cnet). True?

No. This newer variant installs a launchagent to launch a chunk of code (~/.filename, filename has various names) is not a sneaky as the other flashback trojans (probably a different group writing this one). It doesn't check for Little Snitch and Little Snitch will jump all over that code when it attempts to call out. If I recall that is how it called attention to itself in the first place. Good 'ol LS!