jo823 wrote:
When I enter my Hardware UUID into the tool I get the following response:
probably infected by Backdoor.Flashback.39 !
Timestamp of the first access: 2012-04-03 21:27:19
Timestamp of the last access: 2012-04-06 17:48:52
Sorry I'm late to the party, but I have way too much going on right now for this...
My first observation is that this is very recent. As I recall everything we were watching last weekend was installed something like March 23 to March 28. Perhaps we are dealing with an as yet un-named variant.
Next, from what I understand about this database, all it knows is that something with an identifier that includes an encrypted identifier that includes a UUID is trying to contact one of three Command & Control servers. It has no idea whether or not that Mac has any other files installed, just that one or more steps in the installation process has taken place. That's why they say "probably infected." We've been told that if the process finds certain software installed on that Mac it will abort the process and destroy itself, but I suppose something could go wrong with the destruction leaving the communications module active.
Last weekend we were alerted to the situation by users who had Little Snitch installed and practically nobody that didn't have it complained. If this is new, I'm sure they have found a way to eliminate the Little Snitch canary again.
Perhaps some details have been deleted, but there's a lot I don't know about your situation. Do you have Little Snitch installed? Do you recall seeing any dialogs requesting your admin password, certificate approval, anything unusual around around the date and time (although I'm not sure I know what time zone Dr. Web is using) they first heard something purportedly form your Mac? If so, do you remember whether you approved or dismissed that dialog.
I've scanned through all the test that were run and they all seemed to have focused on removing a full infection. You've told us that you have Office 2008 installed, so a Type 2 infection probably could not have happened. I think we can rule out a Type 1 infection from the "K" variant, so again it maybe a new one or it aborted and left something behind. I've tried to check all the commands and probably overlooked it, but did anybody check for a hidden executable in the home folder (I doubt that I remember them all from last week but we had .rserv, .mkeeper, .jupdate and I'm sure several others)? I know there were some checks for LaunchAgents, but can't be sure they would have revealed one installed around that date.
And yes, I can't dismiss the possibility that Dr. Web is wrong or that duplicate UUID's exist. Just thought it might be worth looking a little harder at this since it's apparently our first effort at a Dr. Web positive and possibly something new that we won't read about until the bloggers get back to work after their Easter weekend.
