How do you run the Flashback malware removal tool?

Paul McLaren wrote:

How do you run the Flashback malware removal tool?

You don't. If you have already updated Java for Lion 2012-003 then it ran already. If you don't have Java installed and Software Update told you to install it, then it ran and either found something and told you so or it didn't find anything. In all of these cases, the tool deletes itself and will be offered only if it's needed again for something else.

I don't have Java Installed, but I have reason to suspect I have this virus. (I get pop-ups wanting to me authorize an upgrade for Java... before that it was a similar pop-up for Adobe. Somewhere I read that this is the way that you can be baited into running the virus.) I downloaded the Flashback malware removal tool (for Lion users with Java not installed). I am not sure it ran automatically, and it certainly hasn't deleted itself, as it's still visible in my Finder as a device.

So, how do you run the Flashback malware removal tool?

In the Finder window, navigate into the 'device' and double click the file

'FlashbackMalwareRemover.pkg'.

You'll be presented with an installer dialog. Click through the options as neccesary.

Which installs the program. But installation of a program is different than running a program, isn't it?

mmill52 wrote:

I don't have Java Installed, but I have reason to suspect I have this virus. (I get pop-ups wanting to me authorize an upgrade for Java... before that it was a similar pop-up for Adobe. Somewhere I read that this is the way that you can be baited into running the virus.)

That is incorrect. The current variants of Flashback do not use such pop-ups.

I downloaded the Flashback malware removal tool (for Lion users with Java not installed). I am not sure it ran automatically, and it certainly hasn't deleted itself, as it's still visible in my Finder as a device.

So, how do you run the Flashback malware removal tool?

You only need to run what Software Update tells you to run, but since you have downloaded it already...

The "device" you see is the mounted image that got there when you double clicked on the .dmg file. When you are finished with it you can dismount it by clicking on the "Eject" icon next to it.

Follow softwater's instructions. If it finds any malware it will tell you. If it doesn't find anything they it won't say anything. In either case, the tool deletes itself and you won't need it again until Software Update tells you to run it.

mmill52 wrote:

Which installs the program. But installation of a program is different than running a program, isn't it?

No, the program runs automatically and is deleted when finished.

Thank you both for responding.

I had already done what softwater instructed. I've read that it deletes itself on other threads, but it's still in my Finder as a Device. That's what confused me, because it doesn't appear to have deleted itself.

I only recently upgraded to Snow Leopard and then Lion, in quick succession. My understanding is that there were (are) variants that would have infected my computer prior to my upgrading my OS to Lion. Before the upgrade, they were Adobe, but afterward they were Java. Could it be that be that the pop-ups were/are some other variant?

If the Flashback malware removal tool didn't find anything and my Software Update is current, does that mean the vulnerability has been fixed? At least for now? I understand that I Software Update will prompt downloads in the future if and when it needs to be patched again.

I am away from my computer and it is somewhat awkward to reply on an iPad.

> I had already done what softwater instructed. I've read that it deletes itself on other threads, but it's still in my Finder as a Device. That's what confused me, because it doesn't appear to have deleted itself.

Sorry, I wasn't clear. That is not the tool. It is the .dmg image mounted to your desktop. Next to the name you will see a small eject icon. Click on it or highlight it and choose "Eject" from the appropriate Finder menu. Once that happens you can drag the .dmg file to the trash as it will not delete itself.

> I only recently upgraded to Snow Leopard and then Lion, in quick succession. My understanding is that there were (are) variants that would have infected my computer prior to my upgrading my OS to Lion. Before the upgrade, they were Adobe, but afterward they were Java. Could it be that be that the pop-ups were/are some other variant?

Difficult to say for certain. Apple says it deletes all the common variants but does not specify which and I haven't seen the results of any testing done to verify that it finds and deletes those. The only dialogs that appeared with the initial variants were for FlashPlayer. They are depicted in the descriptions for Flashback-A on F-Secures site if you want to take a look. There have been none that I am aware of for Java, so that is probably either a web page or application that needs Java to run giving you that alert.

> If the Flashback malware removal tool didn't find anything and my Software Update is current, does that mean the vulnerability has been fixed? At least for now? I understand that I Software Update will prompt downloads in the future if and when it needs to be patched again.

The vulnerability is in Java, nowhere else, so if you don't have it installed there was nothing to fix.

If you download Java in the future it will be the latest version Apple has available at the time, which hopefully will not be subject to exploitation, yet...