User profile for user: straycat23
straycat23 Author
User level: Level 1
24 points

New Trojan Horses

Last night, I made the mistake of downloading an app called "Wine" and "Winebottler". These are apps that allow Windows programs to be played on Macintosh without installing Windows. I ended up with 13 new OSX Trojan Horses on my Macintosh. These apps kept on installing add ons to the iTunes Store. I knew I was in trouble immediately, I guess, by instinct.I had also installed Wineskin for the same purpose, but I don't think that was the problem as I found no Trojan Horses associated with this app. I had my security set to download from App Store and Trusted Developers only. I am now going to upgrade my security to download from App Store only now, but I don't know for sure if that will help.


Luckily, I had Kaspersky on my Mac, and it kept on finding Trojan Horses on a full scan. I had firevault on and iCloud on. I am wondering now if my iCloud account is infected. I am currently erasing my whole hard drive and reinstalling. I will not turn on iCloud until I get some advice. For those that are unaware, I know we are in a cyberwar. I don't know where these apps originated, but I wanted the community to know this. I've used Macintosh since the first day it was available in 1984. I've never had troubles with viruses and Trojan Horses like this, except for two that were found by Kaspersky a couple of months ago and were easily found, isolated and disinfected. Not these. Most were easily disinfected: all but two. I had to restart the computer and Kaspersky got rid of them. Kaspersky is a great program, but I wasn't sure if it got rid of everything, which led me to erase and reinstall.


Please inform my about how secure iCloud is against attached viruses or should I delete my account.

Mac Pro, Mac OS 9.2.x, Mac Pro 4.1

Posted on Feb 5, 2014 10:12 AM

Reply
24 replies
User profile for user: John Galt
John Galt
User level: Level 10
155,810 points

Apr 22, 2014 6:10 AM in response to robxl43

No worries. It's not clear exactly what the problem is. This is what's confusing:


Apparently I was watching a ***** vid or a looking at pictures contained in my iCloud account.


Where those videos or pictures appeared, or even if they appeared, is unclear to me. Safari's browsing history is only one explanation. I'll look for your Discussion and try to come up with other possible causes. Whatever you do, don't install some "anti-virus" junk in an effort to address it, or you'll have some real problems on your hands. Was that a pun? Sorry.

Reply
User profile for user: kberg
kberg
User level: Level 1
0 points

Dec 18, 2014 2:26 PM in response to straycat23

I'm the dev of WineBottler.


I was pointed to this thread, so I'd give out some infos on WineBottler, Wine and AV.


Download

Whatever app you are downloading: Download the app from the developers Website. It happens that a lot of "Download-sites" are bundling the software with adware, spyware or worse.

For WineBottler, the original site is http://winebottler.kronenberg.org. The download should leave you with a .dmg file. Inside the dmg find two apps: WineBottler.app and Wine.app. They are installed by drag and drop – NO INSTALLER, NO .pkg. I know that certain download-sites bundle WineBottler with Genio. (Thank you, the support emails land on my desk 😟 - as if sorting out fake "download" ads is not work enough 🙂 ).


Antivirus

AV is always a good idea, especially, if you work with Wine.

Wine.app contains a file with the name winemenubuilder.exe. winemenubuilder.exe is a no-op file, i.e. it is an exe, with no functionality, except of being there. This no-op does trigger the heuristic of certain AV engines. This is a FALSE POSITIVE, and I'm working on that.

On the other hand: Wine is simulating a Windows environment, so it is capable of running certain Windows Malware, too.

http://wiki.winehq.org/FAQ#head-3cb8f054b33a63be30f98a1b6225d74e305a0459


Hope this helps

Mike

Reply
User profile for user: straycat23
straycat23 Author
User level: Level 1
24 points

Dec 27, 2014 3:24 PM in response to kberg

kberg wrote:


I'm the dev of WineBottler.


I was pointed to this thread, so I'd give out some infos on WineBottler, Wine and AV.


Download

Whatever app you are downloading: Download the app from the developers Website. It happens that a lot of "Download-sites" are bundling the software with adware, spyware or worse.

For WineBottler, the original site is http://winebottler.kronenberg.org. The download should leave you with a .dmg file. Inside the dmg find two apps: WineBottler.app and Wine.app. They are installed by drag and drop – NO INSTALLER, NO .pkg. I know that certain download-sites bundle WineBottler with Genio. (Thank you, the support emails land on my desk 😟 - as if sorting out fake "download" ads is not work enough 🙂 ).


Antivirus

AV is always a good idea, especially, if you work with Wine.

Wine.app contains a file with the name winemenubuilder.exe. winemenubuilder.exe is a no-op file, i.e. it is an exe, with no functionality, except of being there. This no-op does trigger the heuristic of certain AV engines. This is a FALSE POSITIVE, and I'm working on that.

On the other hand: Wine is simulating a Windows environment, so it is capable of running certain Windows Malware, too.

http://wiki.winehq.org/FAQ#head-3cb8f054b33a63be30f98a1b6225d74e305a0459


Hope this helps

Mike

So, is WineHQ.org a legitimate site or not? If not, I guess Kaspersky was right, and they were trojans after all. I see the App store has taken Kaspersky off, and I can't get updates. What's up with that? Does Apple run any security scans on iCloud. I'm thinking about erasing and reloading OS 10.10 again, but I'm wondering if iCloud is contaminated.

Reply
User profile for user: straycat23
straycat23 Author
User level: Level 1
24 points

Dec 27, 2014 7:50 PM in response to kberg

kberg wrote:


http://www.winehq.org is the official Wine development site and thus legitimate.

If you have enabled iCloud Drive in Yosemite, your iCloud files are visible in Finder, and you can scan them with any AV you trust.

Arm, Apple only blocks known Viruses/Trojans that work on OS X. Windows related threats are not handled.


Mike

So, I'm guessing these were windows related trojans, and I don't have Windows on my computer. So, I'm also guessing I'm safe in any case. Kaspersky scanned and found these Trojans and eliminated them.

Reply
User profile for user: straycat23
straycat23 Author
User level: Level 1
24 points

Jan 1, 2015 4:12 PM in response to saraclosetotheearth

saraclosetotheearth wrote:


I use Wine and Wine Bottler. They are helpful for running a messaging app from work. They are not viruses. If you want to install the OS X firewall you can. But those apps are useful. You are wise to be careful though

I never thought the apps were trojans, but the site loaded some trojans when I downloaded the apps. Kaspersky identified a lot of trojans loaded with the apps. Apparently they are Windows trojans; not harmful to OS X or so I gather. Kaspersky got rid of them. Now I can't update Kaspersky because the App Store doesn't support Kaspersky. I wonder what that's all about?

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

New Trojan Horses

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up