User profile for user: randalturner
randalturner Author
User level: Level 1
1 points

How to find and remove a Trojan:Win32/Ramnit from an iMac?

I have an office with 6 iMacs and Macbook pros in the UK. We have an BT ASDL router and have broadband with BT. We have one PC laptop on the network, but this was not switched on on the date listed below.


As of today we have been blocked from sending e-mails by Spamhaus.org, who have blacklisted our IP address. On their website they have recorded a CBL advisor that begins:


IP Address 86.167.155.48 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2012-12-07 07:00 GMT (+/- 30 minutes), approximately 5 days, 7 hours, 59 minutes ago.

This IP is infected with, or is NATting for a machine infected withTrojan:Win32/Ramnit(Microsoft)...


We do not have any form of Antivirus on our machines or Mackeeper etc. Before I start checking each Mac I wanted to check if it is possible to get this type of Virus on a Mac, or is it possible that someone has broken into our wireless network and is spamming from it?


If it is more likely that one of the Macs has been infected, any tips on finding out which one and how I go about removing the trojan?


Any help would be much appreciated.

iMac, Mac OS X (10.6.8)

Posted on Dec 12, 2012 8:42 AM

Reply
3 replies
User profile for user: Klaus1
Klaus1
User level: Level 9
52,879 points

Dec 12, 2012 9:11 AM in response to randalturner

This may help:


There are many forms of ‘Malware’ that can affect a computer system, of which ‘a virus’ is but one type, ‘trojans’ another. Using the strict definition of a computer virus, no viruses that can attack OS X have so far been detected 'in the wild', i.e. in anything other than laboratory conditions. The same is not true of other forms of malware, such as Trojans. Whilst it is a fairly safe bet that your Mac has NOT been infected by a virus, it may have another security-related problem, but more likely a technical problem unrelated to any malware threat.



You may find this User Tip on Viruses, Trojan Detection and Removal, as well as general Internet Security and Privacy, useful:


https://discussions.apple.com/docs/DOC-2435


The User Tip (which you are welcome to print out and retain for future reference) seeks to offer guidance on the main security threats and how to avoid them.


More useful information can also be found here:


http://www.reedcorner.net/mmg/

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,233 points

Dec 12, 2012 12:20 PM in response to randalturner

randalturner wrote:


As of today we have been blocked from sending e-mails by Spamhaus.org, who have blacklisted our IP address. On their website they have recorded a CBL advisor that begins:


IP Address 86.167.155.48 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2012-12-07 07:00 GMT (+/- 30 minutes), approximately 5 days, 7 hours, 59 minutes ago.

This IP is infected with, or is NATting for a machine infected withTrojan:Win32/Ramnit(Microsoft)...


ISP's are notoriously wrong about these sorts of things with regard to Mac networks. It's possible that one or more Mac's are broadcasting something that resembles that infection, but you would need to monitor outgoing packets or connectivity to know for certain. Perhaps your ISP can help you with this.


IP Scanner from 10base-t interactive or the AppStore is useful for detecting intruder devices and is free for small networks.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

How to find and remove a Trojan:Win32/Ramnit from an iMac?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up