5 Replies Latest reply: Jun 17, 2012 3:30 PM by Topolinux
Topolinux Level 1 Level 1 (10 points)

Hi. i found today, casually, an unknown folder in \Users\ , named "jmoar", containing only the "Documents" folder and one file inside it named "InstallerTest.rtf".

I opened it from terminal with nano and it doesn't appear suspicious, it only contains a string "installer test". i've searched for unusual users via dscl but i have not found any "jmoar". It seems that the folder has been created 03-27-2012. i'm worrying about which program or who could have created it. what should i do more than delete the folder?

thanks


MacBook Pro, Mac OS X (10.6.8)
  • noondaywitch Level 6 Level 6 (8,130 points)

    I would consider it highly suspect.

    The only thing I'm aware of in recent months (and that March creation date would tally) that placed files in /Users/ is the Flashback malware. I don't recognise the filename from that episode, but others have tested it more thoroughly than I, so may be able to offer an opinion.

     

    Until one of the Terminal whizzes comes along to give you the commands to check for other components, be sure that your software security updates are up-to-date, especially update 8 which removes Flashback components, and turn off Java in your browsers (not JavaScript; you need that).

    Ideally, go to Applications > Utilities > Java Prefences and uncheck the two boxes for Java SE6.

     

    If you were seriously compromised, I think you would probably have had problems with Safari freezing or crashing, but better to be safe and do the checks.

     

    <aside>

    We don't use \ in file paths on Mac, it's /. \ is used as an escape character in Terminal commands etc.

    </aside>

  • noondaywitch Level 6 Level 6 (8,130 points)

    Pulled from another thread, here's a couple of links to peruse for now -

    https://discussions.apple.com/docs/DOC-3261

    https://discussions.apple.com/docs/DOC-2435

  • MadMacs0 Level 5 Level 5 (4,605 points)

    Topolinux wrote:

     

    Hi. i found today, casually, an unknown folder in \Users\ , named "jmoar", containing only the "Documents" folder and one file inside it named "InstallerTest.rtf".

    I opened it from terminal with nano and it doesn't appear suspicious, it only contains a string "installer test". i've searched for unusual users via dscl but i have not found any "jmoar". It seems that the folder has been created 03-27-2012. i'm worrying about which program or who could have created it. what should i do more than delete the folder?

    Although I agree with noondaywitch that it looks suspicious, it doesn't match any known variant of Flashback that I'm aware of. Only the System (root) should be able to create such a folder in /Users/ as Admin's don't have write access to it. Flashback was able to create invisible files in /Users/Shared/ which is open to all.

     

    Do you have any sharing options turned on? Are you on a WiFi network with less than WPA2 password access? Could anyone have had physical access to your computer? Is your Firewall enabled with Stealth Mode on? If Firewall logging is turned on check your appfirewall.log for anything suspicious on that date.

  • X423424X Level 6 Level 6 (14,215 points)

    Uses the finder's Find (command-F) command to search for kind filename or use Find Any File for the following strings (one at a time):

     

    jmoar

    InstallerTest

     

    I woudn't worry about it.  Nothing is certainly going to be harmed by a warard rtf file and installers have been know to "accidentially" leave crap lying around from the authors testing.  That's where I think that stuff came from.

  • Topolinux Level 1 Level 1 (10 points)

    Thanks to you all. I think that the X423424X's answer is right, because no one accessed my laptop, i don't have file sharing active, my house connection is enogh secured and my "cyberlife" is a safe one (no strange sites, no facebook apps, no porns, no cracked software etcetera).

    Cheers!