Flashback: how to handle some Launch Agents Folder questions?

Question

Level 2

152 points

Flashback: how to handle some Launch Agents Folder questions?

Two Flashback questions, followed by some background.

1) In cleaning up a Flashback infection, why would running the ls -lA ~/Library/LaunchAgents/ command in terminal, return the result "total 16", when there are only 2 items the LaunchAgents subfolder? (I checked for invisible files in that folder -- there are none.)

2) Should I delete any of plist files from the LaunchAgents folder, including the ones that appear to be for MobileMe synching and Safari bookmark synching?

Here's the background:

When I entered this into Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

I got this result:

/Users/Shared/.libgmalloc.dylib

When I entered this into Terminal:

grep -a -o '__ldpath__[ -~]*' /Users/Shared/.libgmalloc.dylib

I got this DOUBLE result:
__ldpath__/Users/username1/Library/Application Support/.WondershareDVDBackup.tmp
__ldpath__/Users/username1/Library/Application Support/.WondershareDVDBackup.tmp

(We've never used "Wondershare DVD Backup", by the way.)

When I entered this into Terminal:

ls -lA ~/Library/LaunchAgents/

I got this result for username1:

total 16
-rw-r--r-- 1 username1 username1 581 Apr 30 2011 com.apple.MobileMeSyncClientAgent.plist
-rw-r--r-- 1 username1 username1 813 Mar 1 2009 com.apple.SafariBookmarksSyncer.plist

When I entered this into Terminal:

defaults read ~/Library/LaunchAgents/com.apple.MobileMeSyncClientAgent.plist ProgramArguments

I got this result:
2012-04-07 19:40:25.306 defaults[1260:903]
The domain/default pair of (/Users/username1/Library/LaunchAgents/com.apple.MobileMeSyncClientAgent.plist, ProgramArguments) does not exist

... and the same sort of "does not exist" results when I tested SafariBookmarksSyncer the launch agents folder.

I got this result (note high "total" number) for username2 -- this user account *did not* test positive for Flashback:

total 40
-rw-r--r-- 1 username2 staff 619 Oct 18 2010 com.adobe.ARM.ad895013aeb33ea6e968d9fdc06c0eb42c7c2a5229d98d64ad002716.plist
-rw-r--r-- 1 username2 staff 581 Mar 24 14:33 com.apple.MobileMeSyncClientAgent.plist
-rw-r--r-- 1 username2 staff 815 Apr 19 2010 com.apple.SafariBookmarksSyncer.plist
-rw-r--r-- 1 username2 staff 667 Jul 28 2011 com.macupdate.desktop5.scanner.plist
-rw-r--r-- 1 username2 staff 615 Sep 13 2009 de.metaquark.appfresh.plist

(I have no idea what de.metaquark.appfresh would be. I presume the long adobe plist is from an installation of Adobe 8.)

Posted on Apr 8, 2012 7:59 AM

Reply

Answer 1

etresoft

Level 9

56,314 points

Apr 8, 2012 8:28 AM in response to Bob Mayo

You've definitely got the trojan all right.

I wrote a user tip and checker/removal tool: https://discussions.apple.com/docs/DOC-3271

It should clean things up without having to type any terminal commands. Try it out and let me know what happens. Rerun those terminal commands and verify if it actually cleans things up. I have only tested it on own demo trojan. I would like to know if it really works.

Reply

Answer 2

Bob Mayo Author

Level 2

152 points

Apr 8, 2012 10:30 AM in response to etresoft

Thanks, etresoft. I've already done the removal of .libgmalloc.dylib and .WondershareDVDBackup.tmp , but am still wondering if I need to do anything wtih the plists in the LaunchAgents folder (and what that higher "total" number returned by ls -lA ~/Library/LaunchAgents/ means. My interpretation is that there's nothing corrupted about those plists, but I want to be sure. I already downloaded and run ClamXav, and it doesn't report any issues there. I also wonder if any Applications were affected, because ClamXav scans only the home folder, not the entire drive.

(I give you and others credit for working on and sharing automated tools for checking for and/or addressing effects of the malware. I hope Apple builds something into a software update to address this.)

Reply

Answer 3

Apr 8, 2012 10:28 AM in response to Bob Mayo

Looks like some serious marketing is already at work out there: http://www.macupdate.com/app/mac/42571/anti-flashback-trojan

Reply

Answer 4

Apr 8, 2012 10:30 AM in response to Bob Mayo

As a side note, you can set ClamXav to scan your entire drive by selecting MacintoshHD as primary target. It's going to take a while, depending on the size of your drive, though.

As for the plist files you mention, if they look legitimate, i.e. if they belong to legitimate applications, don't bother to delete them. You can, though: the applications in question will create new ones next time you run them.

Reply

Answer 5

etresoft

Level 9

56,314 points

Apr 8, 2012 10:37 AM in response to Bob Mayo

You can open those files in a text editor like Text Wrangler. Typically the trojan software always starts with a "." character to it is hidden in the finder. If you have removed the software but not an associated LaunchAgent, you might have errors in your Console.app log.

Reply

Answer 6

Bob Mayo Author

Level 2

152 points

Apr 8, 2012 10:59 AM in response to etresoft

I'm wondering -- and I don't know if anyone has established this -- if it's possible the malware could have created only .libgmalloc.dylib and .WondershareDVDBackup.tmp on my computer and not suceeded in (or gotten around to) creating a LaunchAgent yet. I used the Dr. Bott UUID checker, and it didn't show any past communication with the botnet server --- though I don't know that his database is comprehensive.

Reply

Answer 7

fane_j

Level 4

3,704 points

Apr 9, 2012 12:25 AM in response to Bob Mayo

Bob Mayo wrote:

if it's possible the malware could have created only .libgmalloc.dylib and .WondershareDVDBackup.tmp on my computer and not suceeded in (or gotten around to) creating a LaunchAgent yet.

None of the posters who had the launch agent form had the environment.plist entry. Which means one of two things. Either, (a) they caught the malware in its early phase, in which the executable launched by the launch agent was attempting to communicate with its controller to download the malware payload; or, (b) the caught a different variant, one which no longer used a hidden shared library stored in </Users/Shared>.

Reply