Q: Dr Web Flashback Virus checker accurate?

jo823 wrote:

 

Update-downloaded Little Snitch and got the message "Little Snitch: .null wants to connect to vxvhwcixcxqxd.com"

Bad, bad bad.

Your infected, that url and many others like it all all over these forums and other Mac sites related to Flashback.

urlQuery gives

URL	http://vxvhwcixcxqxd.com/info.html
IP	91.233.244.102
ASN	AS57636 Olborg Ltd.
Location	Russian Federation
Report created	2012-04-05 23:00:49 CET
Status	Report complete.
Alerts	- No alerts detected
Reputation	Suspicious

Please try my removal script again. I have updated it to handle your installation.

Can you re-post the current script (I'm getting lost trying to keep up with this whole mess).

Thanks!

pcbjr wrote:

 

Can you re-post the current script (I'm getting lost trying to keep up with this whole mess).

https://discussions.apple.com/docs/DOC-3271

Success!

Unfortunately, I didn't have time to write a decent script. You did everything correctly. There is no need to reinstall.

jo823 wrote:

 

It defaults to "Keep", but was wondering if this is necessary to delete?

Don't delete it. Do you have a MobileMe account? If yes, that's what it's for.

That's exactly the kind of issue which caused me to suggest to etresoft to modify his script

<https://discussions.apple.com/message/18070822#18070822>

jo823 wrote:

Since I ran the script that seemed to remove the files, would you all think its necessary to go ahead with the removal and reinstall of Mac OS?

Your being of assistant since your machine is already infected, but eventually yes you should also backup just user files, erase and install everything and only return vetted files, no programs or TimeMachine restores.

Erase everything that can be rewritten too.

If you have a 10.6 disk, build from that as it's burned and work out, malware can't write to that.

Consider everything else tainted.

https://discussions.apple.com/docs/DOC-3251

I haven't seen the need to write a effective malware erradication guide for Mac's, but I've learned on the PC that everything gets infected, miss one little spot or get lazy and it's back on again.

A recent TidBITS article covers this issue

<http://tidbits.com/e/12918>

I'm a long time subscriber to TidBITS, and I regard their information as usually reliable. So far, I've been very skeptical about the "Dr. Web" reports (I must say that the name "Dr. Web" redoubled my skepticism, perhaps unfairly so). I'm beginning to change my mind.

ds store wrote:

 

urlQuery gives

 

URL	http://vxvhwcixcxqxd.com/info.html
IP	91.233.244.102
ASN	AS57636 Olborg Ltd.
Location	Russian Federation
Report created	2012-04-05 23:00:49 CET
Status	Report complete.
Alerts	- No alerts detected
Reputation	Suspicious

As stated in this post from a Dr. Web employee Re: .rserv wants to connect to cuojshtbohnt.com it is one of the three servers that Dr. Web (from Russia) was able to register in order to perform their Sinkhole operation that came up with the 600,000 number.  When we were running these URL's early on the weekend before last, they were all coming up as unknown until their registries made it to DNS.

etresoft wrote:

 

Please try my removal script again. I have updated it to handle your installation.

I still cannot comment on your Tip, so either I don't know how or I don't have permission.

I went back to the Tip early this morning and found that it had been updated on the sheet, so I tried that and it did everything I expected it to, which wasn't much, however I found that it cleanly deleted my environment.plist. So OK, I'll just drag it back out of the Trash. Not in the Trash. OK, then restore from backup worked.

So yes, I have a real environment.plist that isn't really important. Just something i was playing with, but realize that I have run across some users who own applications which use the environment.plist for purposes it was designed for.

So my recommendation would be, rather than using rm use defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES which will only remove that entry and leave anything else in tact.

MadMacs0 wrote:

 

etresoft wrote:

 

Please try my removal script again. I have updated it to handle your installation.

I still cannot comment on your Tip, so either I don't know how or I don't have permission.

It must be a permissions issue. There must be some level of points you need to add a comment. Can you see the comments I made?

I went back to the Tip early this morning and found that it had been updated on the sheet, so I tried that and it did everything I expected it to, which wasn't much, however I found that it cleanly deleted my environment.plist. So OK, I'll just drag it back out of the Trash. Not in the Trash. OK, then restore from backup worked.

 

So yes, I have a real environment.plist that isn't really important. Just something i was playing with, but realize that I have run across some users who own applications which use the environment.plist for purposes it was designed for.

 

So my recommendation would be, rather than using rm use defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES which will only remove that entry and leave anything else in tact.

I completely agree, up to a point. I have no intention of getting into the anti-virus business. Users who are sophisticated enough to have something in ~/.MacOSX/environment.plist aren't going to have any malware and, if they did, aren't going to need any help removing it. The script was and will remain a quick-n-dirty tool.

One of the problems with the script is that I have tried to hard to be gentle with it. That has already caused it to fail to remove an infection from one person. Considering all the possible variants of malware and all the misinformation, cryptic commands, and paranoia, I feel a "scorched-earth" approach is best. The script will try to return your user account to a default configuration. Any legitimate hacks you may have made will have to be re-done.

In any event, no decent software should ever use ~/.MacOSX/environment.plist to begin with. If removing it breaks something, then I've done you a favor by identifying some poorly ported Linux software.

etresoft wrote:

 

no decent software should ever use ~/.MacOSX/environment.plist to begin with. If removing it breaks something, then I've done you a favor by identifying some poorly ported Linux software.

Is BBEdit "poorly ported Linux software"?

This is a regrettably arrogant attitude. Environment.plist has nothing to do with Linux software, poorly ported or not. It is required because Mac OS X maintains different evironment variables for GUI and CLI apps.

Moreover, no software which uses a facility provided by the OS for the purpose which it was designed to support can be called 'poor'. Any app which uses environment.plist to set enironment variables does exactly what Apple says it should do, in exactly the way Apple says it should. See Environment Variables in Runtime Configuration Guidelines and Technical Q&A QA1067.

The problem with environment.plist is that—just like Microsoft with certain Windows features—Apple never envisaged that it could be used in the way this malware uses it. If there's anyone to blame, it's not 'poorly ported Linux software', but Apple itself. And if you want to look for a similar Apple-created wide-open hole, check out the login and logout hooks. (Which, yes, still work in Lion.) I'm rather surprised that the gang behind Flashback have ignored it so far—if, indeed, they have.

The environment.plist file is never required. There are other, much better ways to accomplish the same thing. An Aqua user interface application should never rely on environment variables. It is poor practice to ship code using that file. I don't care who uses it.

etresoft wrote:

 

The environment.plist file is never required.

BBEdit and others require it. Hence, your statement is incorrect.

Moreover, if Apple provides this facility, and explains how it should be used, I don't understand why a developer shouldn't use it.

There are other, much better ways to accomplish the same thing.

Such as?

An Aqua user interface application should never rely on environment variables.

And if it needs, or it is used, to run shell scripts, Perl, Phython, etc, what should it rely on?

It is poor practice to ship code using that file.

You are certainly entitled to your opinion. I see no reason or argument why anyone should agree with it.