jo823

Q: Dr Web Flashback Virus checker accurate?

Does anyone have any info about how accurate the Flashback checker from Dr Web is? http://public.dev.drweb.com/april

 

When I enter my Hardware UUID into the tool I get the following response:

 

probably infected by Backdoor.Flashback.39 !

 

Timestamp of the first access: 2012-04-03 21:27:19
Timestamp of the last access: 2012-04-06 17:48:52

 

However when I follow the instructions from the F-Secure website to locate and remove the virus (http://community.f-secure.com/t5/Protection/Flashback-Mac-OS-X-Remover/m-p/10887 #M2223) using Terminal, I get the files "do not exist" reponses. 

 

I haven't experienced any issues with my computer but figured I'd check to be certain, and now I'm not sure how to proceed.

MacBook Pro, Mac OS X (10.6.8)

Posted on Apr 7, 2012 10:14 AM

Close

Q: Dr Web Flashback Virus checker accurate?

  • All replies
  • Helpful answers

first Previous Page 4 of 7 last Next
  • by ds store,

    ds store ds store Apr 9, 2012 1:55 PM in response to jo823
    Level 7 (30,400 points)
    Apr 9, 2012 1:55 PM in response to jo823

    jo823 wrote:

     

    Update-downloaded Little Snitch and got the message "Little Snitch: .null wants to connect to vxvhwcixcxqxd.com"

     

     

    Bad, bad bad.

     

    Your infected, that url and many others like it all all over these forums and other Mac sites related to Flashback.

     

    urlQuery gives

     

     

    URLhttp://vxvhwcixcxqxd.com/info.html  
    IP91.233.244.102
    ASNAS57636 Olborg Ltd.
    Location  Russian Federation
    Report created2012-04-05 23:00:49 CET
    StatusReport complete.
    Alerts - No alerts detected
    Reputation Suspicious
  • by etresoft,

    etresoft etresoft Apr 9, 2012 2:15 PM in response to jo823
    Level 7 (29,380 points)
    Mac OS X
    Apr 9, 2012 2:15 PM in response to jo823

    Please try my removal script again. I have updated it to handle your installation.

  • by pcbjr,

    pcbjr pcbjr Apr 9, 2012 3:20 PM in response to etresoft
    Level 2 (282 points)
    Mac OS X
    Apr 9, 2012 3:20 PM in response to etresoft

    Can you re-post the current script (I'm getting lost trying to keep up with this whole mess).

     

    Thanks!

  • by jo823,

    jo823 jo823 Apr 9, 2012 3:47 PM in response to etresoft
    Level 1 (0 points)
    Apr 9, 2012 3:47 PM in response to etresoft

    etresoft, I re-ran your removal script and it deleted the null.plist file.  It checks the applications and ends saying I seem to be malware free.  I re-ran again and it asks if I want to delete file ". com.apple.CSConfigDotMacCert-username@me.com-SharedServices.Agent.plist that runs program . /System/Library/Frameworks/OSServices.framework/Versions/A/Support/CSConfigDotM acCert"?

    It defaults to "Keep", but was wondering if this is necessary to delete?

     

    I appreciate the updated script, as well as MadMacs0 advice.  Since I ran the script that seemed to remove the files, would you all think its necessary to go ahead with the removal and reinstall of Mac OS?

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 9, 2012 4:02 PM in response to pcbjr
    Level 5 (4,801 points)
    Apr 9, 2012 4:02 PM in response to pcbjr

    pcbjr wrote:

     

    Can you re-post the current script (I'm getting lost trying to keep up with this whole mess).

    https://discussions.apple.com/docs/DOC-3271

  • by etresoft,

    etresoft etresoft Apr 9, 2012 4:07 PM in response to jo823
    Level 7 (29,380 points)
    Mac OS X
    Apr 9, 2012 4:07 PM in response to jo823

    Success!

     

    Unfortunately, I didn't have time to write a decent script. You did everything correctly. There is no need to reinstall.

  • by fane_j,

    fane_j fane_j Apr 9, 2012 4:10 PM in response to jo823
    Level 4 (3,677 points)
    Apr 9, 2012 4:10 PM in response to jo823

    jo823 wrote:

     

    It defaults to "Keep", but was wondering if this is necessary to delete?

    Don't delete it. Do you have a MobileMe account? If yes, that's what it's for.

     

    That's exactly the kind of issue which caused me to suggest to etresoft to modify his script

     

    <https://discussions.apple.com/message/18070822#18070822>

  • by ds store,

    ds store ds store Apr 9, 2012 4:16 PM in response to jo823
    Level 7 (30,400 points)
    Apr 9, 2012 4:16 PM in response to jo823

    jo823 wrote:


    Since I ran the script that seemed to remove the files, would you all think its necessary to go ahead with the removal and reinstall of Mac OS?

     

    Your being of assistant since your machine is already infected, but eventually yes you should also backup just user files, erase and install everything and only return vetted files, no programs or TimeMachine restores.

     

    Erase everything that can be rewritten too.

     

    If you have a 10.6 disk, build from that as it's burned and work out, malware can't write to that.

     

    Consider everything else tainted.

     

    https://discussions.apple.com/docs/DOC-3251

     

     

    I haven't seen the need to write a effective malware erradication guide for Mac's, but I've learned on the PC that everything gets infected, miss one little spot or get lazy and it's back on again.

  • by fane_j,

    fane_j fane_j Apr 9, 2012 5:49 PM in response to jo823
    Level 4 (3,677 points)
    Apr 9, 2012 5:49 PM in response to jo823

    A recent TidBITS article covers this issue

     

    <http://tidbits.com/e/12918>

     

    I'm a long time subscriber to TidBITS, and I regard their information as usually reliable. So far, I've been very skeptical about the "Dr. Web" reports (I must say that the name "Dr. Web" redoubled my skepticism, perhaps unfairly so). I'm beginning to change my mind.

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 9, 2012 6:33 PM in response to ds store
    Level 5 (4,801 points)
    Apr 9, 2012 6:33 PM in response to ds store

    ds store wrote:

     

    urlQuery gives

     

    URLhttp://vxvhwcixcxqxd.com/info.html  
    IP91.233.244.102
    ASNAS57636 Olborg Ltd.
    Location  Russian Federation
    Report created2012-04-05 23:00:49 CET
    StatusReport complete.
    Alerts - No alerts detected
    Reputation Suspicious

    As stated in this post from a Dr. Web employee Re: .rserv wants to connect to cuojshtbohnt.com it is one of the three servers that Dr. Web (from Russia) was able to register in order to perform their Sinkhole operation that came up with the 600,000 number.  When we were running these URL's early on the weekend before last, they were all coming up as unknown until their registries made it to DNS.

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 9, 2012 6:50 PM in response to etresoft
    Level 5 (4,801 points)
    Apr 9, 2012 6:50 PM in response to etresoft

    etresoft wrote:

     

    Please try my removal script again. I have updated it to handle your installation.

    I still cannot comment on your Tip, so either I don't know how or I don't have permission.

     

    I went back to the Tip early this morning and found that it had been updated on the sheet, so I tried that and it did everything I expected it to, which wasn't much, however I found that it cleanly deleted my environment.plist. So OK, I'll just drag it back out of the Trash. Not in the Trash. OK, then restore from backup worked.

     

    So yes, I have a real environment.plist that isn't really important. Just something i was playing with, but realize that I have run across some users who own applications which use the environment.plist for purposes it was designed for.

     

    So my recommendation would be, rather than using rm use defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES which will only remove that entry and leave anything else in tact.

  • by etresoft,

    etresoft etresoft Apr 10, 2012 7:11 AM in response to MadMacs0
    Level 7 (29,380 points)
    Mac OS X
    Apr 10, 2012 7:11 AM in response to MadMacs0

    MadMacs0 wrote:

     

    etresoft wrote:

     

    Please try my removal script again. I have updated it to handle your installation.

    I still cannot comment on your Tip, so either I don't know how or I don't have permission.

    It must be a permissions issue. There must be some level of points you need to add a comment. Can you see the comments I made?

     

    I went back to the Tip early this morning and found that it had been updated on the sheet, so I tried that and it did everything I expected it to, which wasn't much, however I found that it cleanly deleted my environment.plist. So OK, I'll just drag it back out of the Trash. Not in the Trash. OK, then restore from backup worked.

     

    So yes, I have a real environment.plist that isn't really important. Just something i was playing with, but realize that I have run across some users who own applications which use the environment.plist for purposes it was designed for.

     

    So my recommendation would be, rather than using rm use defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES which will only remove that entry and leave anything else in tact.

    I completely agree, up to a point. I have no intention of getting into the anti-virus business. Users who are sophisticated enough to have something in ~/.MacOSX/environment.plist aren't going to have any malware and, if they did, aren't going to need any help removing it. The script was and will remain a quick-n-dirty tool.

     

    One of the problems with the script is that I have tried to hard to be gentle with it. That has already caused it to fail to remove an infection from one person. Considering all the possible variants of malware and all the misinformation, cryptic commands, and paranoia, I feel a "scorched-earth" approach is best. The script will try to return your user account to a default configuration. Any legitimate hacks you may have made will have to be re-done.

     

    In any event, no decent software should ever use ~/.MacOSX/environment.plist to begin with. If removing it breaks something, then I've done you a favor by identifying some poorly ported Linux software.

  • by fane_j,

    fane_j fane_j Apr 10, 2012 11:17 AM in response to etresoft
    Level 4 (3,677 points)
    Apr 10, 2012 11:17 AM in response to etresoft

    etresoft wrote:

     

    no decent software should ever use ~/.MacOSX/environment.plist to begin with. If removing it breaks something, then I've done you a favor by identifying some poorly ported Linux software.

    Is BBEdit "poorly ported Linux software"?

     

    This is a regrettably arrogant attitude. Environment.plist has nothing to do with Linux software, poorly ported or not. It is required because Mac OS X maintains different evironment variables for GUI and CLI apps.

     

    Moreover, no software which uses a facility provided by the OS for the purpose which it was designed to support can be called 'poor'. Any app which uses environment.plist to set enironment variables does exactly what Apple says it should do, in exactly the way Apple says it should. See Environment Variables in Runtime Configuration Guidelines and Technical Q&A QA1067.

     

    The problem with environment.plist is that—just like Microsoft with certain Windows features—Apple never envisaged that it could be used in the way this malware uses it. If there's anyone to blame, it's not 'poorly ported Linux software', but Apple itself. And if you want to look for a similar Apple-created wide-open hole, check out the login and logout hooks. (Which, yes, still work in Lion.) I'm rather surprised that the gang behind Flashback have ignored it so far—if, indeed, they have.

  • by etresoft,

    etresoft etresoft Apr 10, 2012 1:27 PM in response to fane_j
    Level 7 (29,380 points)
    Mac OS X
    Apr 10, 2012 1:27 PM in response to fane_j

    The environment.plist file is never required. There are other, much better ways to accomplish the same thing. An Aqua user interface application should never rely on environment variables. It is poor practice to ship code using that file. I don't care who uses it.

  • by fane_j,

    fane_j fane_j Apr 10, 2012 1:41 PM in response to etresoft
    Level 4 (3,677 points)
    Apr 10, 2012 1:41 PM in response to etresoft

    etresoft wrote:

     

    The environment.plist file is never required.

    BBEdit and others require it. Hence, your statement is incorrect.

     

    Moreover, if Apple provides this facility, and explains how it should be used, I don't understand why a developer shouldn't use it.

    There are other, much better ways to accomplish the same thing.

    Such as?

    An Aqua user interface application should never rely on environment variables.

    And if it needs, or it is used, to run shell scripts, Perl, Phython, etc, what should it rely on?

    It is poor practice to ship code using that file.

    You are certainly entitled to your opinion. I see no reason or argument why anyone should agree with it.

first Previous Page 4 of 7 last Next