You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Trojan BackDoor.Wirenet.2

Help me please! My macbook pro late 2013 has infected trojan (BackDoor.Wirenet.2). How to remove it.

MacBook Pro with Retina display, OS X Mavericks (10.9.1)

Posted on Feb 6, 2014 11:00 AM

Reply
26 replies

Feb 7, 2014 2:39 AM in response to Krirkfah

OS X Mavericks: Increase disk space


OS X: What is "other" space in About This Mac?


You may find OmniDiskSweeper useful to see exactly what takes the space currently.


Dr Web presumably shows the name & location of the file(s) in question - you might provide that here, to 1: check that it's not a false positive & is safe to remove, and 2: see if it's likely to have been active.


VirusBarrier Express may be helpful to confirm the report & filename/location. If you use it, update the definitions first.


In any case, don't allow removal unless you're sure it's safe to do so, and the file in question isn't part of a Mail message.

Feb 7, 2014 3:57 AM in response to andyBall_uk

After Dr.web light had found "BackDoor.Wirenet.2",I saw "other space" was swallowed increasing double space and so on until the storage was full ( "Other" space was swallowed from 18 GB up to 219.03GB) very fast rapidly.


It has a false positive in red circle. When I checked the lacation which Dr.web showed,it did not appear files which is in the location (/Users/Krirkfah/.Install/keygen.app/Contents/MacOS).

Feb 7, 2014 4:15 AM in response to Krirkfah

Unfortunately, this is something that is actually Mac malware. Wirenet, aka NetWeird, is described here:


http://news.drweb.com/show/?i=2679&lng=en


It is possible that you have somehow been infected by a more recent variant of this malware. What file does Dr. Web identify as being infected? In Dr. Web, click the Threats icon in the window's toolbar and look at the BackDoor.Wirenet.2 item. There will be a little right-pointing arrow in a circle next to a filename... click that. See the image below:

User uploaded file

This will open a transparent overlay window containing the details. You will probably need to enlarge that window to see the full file path. What is the full path shown next to the Location label. Here's an example:


User uploaded file


As you can see, the sample that I scanned to take these screenshots is a trojan app named "Nude pics.app". That does not mean that this is what you will see, especially since you're seeing variant 2 of the malware, instead of variant 1. Report back here with whatever path you see there.

Feb 7, 2014 4:31 AM in response to Krirkfah

You may find that Omnidisksweeper shows large amounts of files created or downloaded by this application (perhaps logs of your activity, or even illegally downloaded movie files to be shared with others without your knowledge).

In any case, I would either revert to a backup that you know is from before this began, or after backing up now, erase & reinstall OS X, manually importing only those things that you know to be safe.

Feb 7, 2014 10:49 AM in response to Krirkfah

I don't think that's possible. At least, the last time I tried posting a screenshot on these forums from my iPad, it wasn't possible. I have no reason to believe that has changed.


If you are reluctant to post from your Mac, you could copy screenshots to another computer and post from there. Alternately, you could post them somewhere like Dropbox from your iPad, and then post a link to them here.

But really, you could just re-type the path to the file in question in a post here, if you can't post a screenshot.

Feb 7, 2014 7:31 PM in response to thomas_r.

https://www.dropbox.com/s/25xj0wfpbpotqt3/Photo%207-2-57%2002%2019%2010.jpg

https://www.dropbox.com/s/h9bj5067oci3dx6/Photo%208-2-57%2001%2001%2037.jpg

https://www.dropbox.com/s/dcdpnzexcozj2b1/Photo%208-2-57%2001%2005%2050.jpg


Do i have to reformat and reinstall OS X or it have any method to fix it ? When message showed from Dr.web,I clicked "Cure". In about 1 minute,It showed the red cross (look at image1).

Feb 7, 2014 11:13 PM in response to Krirkfah

1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve your problem.

2. If you don't already have a current backup, back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. There are ways to back up a computer that isn't fully functional. Ask if you need guidance.

3. Below are instructions to run a UNIX shell script, a type of program. All it does is to gather information about the state of your computer. That information goes nowhere unless you choose to share it on this page. However, you should be cautious about running any kind of program (not just a shell script) at the request of a stranger on a public message board. If you have doubts, search this site for other discussions in which this procedure has been followed without any report of ill effects. If you can't satisfy yourself that the instructions are safe, don't follow them.

Here's a summary of what you need to do, if you choose to proceed: Copy a line of text from this web page into the window of another application. Wait for the script to run. It usually takes a couple of minutes. Then paste the results, which will have been copied automatically, back into a reply on this page. The sequence is: copy, paste, wait, paste again. Details follow.

4. You may have started the computer in "safe" mode. Preferably, these steps should be taken in “normal” mode. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual. If you can only test in safe mode, do that.

5. If you have more than one user, and the one affected by the problem is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply.

6. The script is a single long line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, though you may not see all of it in your browser, and you can then copy it. If you try to select the line by dragging across the part you can see, you won't get all of it.

Triple-click anywhere in the line of text below on this page to select it:

PATH=/usr/bin:/bin:/usr/sbin:/sbin; clear; Fb='%s\n\t(%s)\n'; Fm='\n%s\n\n%s\n'; Fr='\nRAM details\n%s\n'; Fs='\n%s: %s\n'; Fu='user %s%%, system %s%%'; PB="/usr/libexec/PlistBuddy -c Print"; A () { [[ a -eq 0 ]]; }; M () { find -L "$d" -type f | while read f; do file -b "$f" | egrep -lq XML\|exec && echo $f; done; }; Pc () { o=`grep -v '^ *#' "$2"`; Pm "$1"; }; Pm () { [[ "$o" ]] && o=`sed '/^ *$/d; s/^ */ /' <<< "$o"` && printf "$Fm" "$1" "$o"; }; Pp () { o=`$PB "$2" | awk -F'= ' \/$3'/{print $2}'`; Pm "$1"; }; Ps () { o=`echo $o`; [[ ! "$o" =~ ^0?$ ]] && printf "$Fs" "$1" "$o"; }; R () { o=; [[ r -eq 0 ]]; }; SP () { system_profiler SP${1}DataType; }; id | grep -qw '80(admin)'; a=$?; A && sudo true; r=$?; t=`date +%s`; clear; { A || echo $'No admin access\n'; A && ! R && echo $'No root access\n'; SP Software | sed '8!d;s/^ *//'; o=`SP Hardware | awk '/Mem/{print $2}'`; o=$((o<4?o:0)); Ps "Total RAM (GB)"; o=`SP Memory | sed '1,5d; /[my].*:/d'`; [[ "$o" =~ s:\ [^O]|x([^08]||0[^2]8[^0]) ]] && printf "$Fr" "$o"; o=`SP Diagnostics | sed '5,6!d'`; [[ "$o" =~ Pass ]] || Pm "POST"; for b in Thunderbolt USB; do o=`SP $b | sed -n '1d; /:$/{s/ *:$//;x;s/\n//p;}; /^ *V.* [0N].* /{s/ 0x.... //;s/[()]//g;s/\(.*: \)\(.*\)/ \(\2\)/;H;}; /Apple/{s/.//g;h;}'`; Pm $b; done; o=`pmset -g therm | sed 's/^.*C/C/'`; [[ "$o" =~ No\ th|pms ]] && o=; Pm "Thermal conditions"; o=`pmset -g sysload | grep -v :`; [[ "$o" =~ =\ [^GO] ]] || o=; Pm "System load advisory"; o=`nvram boot-args | awk '{$1=""; print}'`; Ps "boot-args"; d=(/ ""); D=(System User); E=; for i in 0 1; do o=`cd ${d[$i]}L*/L*/Dia* || continue; ls | while read f; do [[ "$f" =~ h$ ]] && grep -lq "^Thread c" "$f" && e=" *" || e=; awk -F_ '!/ag$/{$NF=a[split($NF,a,".")]; print $0 "'"$e"'"}' <<< "$f"; done | tail`; Pm "${D[$i]} diagnostics"; done; [[ "$o" =~ \*$ ]] && printf $'\n* Code injection\n'; o=`syslog -F bsd -k Sender kernel -k Message CReq 'GPU |hfs: Ru|I/O e|n Cause: -|NVDA\(|pagin|SATA W|ssert|timed? ?o' | tail -n25 | awk '/:/{$4=""; $5=""};1'`; Pm "Kernel messages"; o=`df -m / | awk 'NR==2 {print $4}'`; o=$((o<5120?o:0)); Ps "Free space (MiB)"; o=$(($(vm_stat | awk '/eo/{sub("\\.",""); print $2}')/256)); o=$((o>=1024?o:0)); Ps "Pageouts (MiB)"; s=( `sar -u 1 10 | sed '$!d'` ); [[ s[4] -lt 85 ]] && o=`printf "$Fu" ${s[1]} ${s[3]}` || o=; Ps "Total CPU usage" && { s=(`ps acrx -o comm,ruid,%cpu | sed '2!d'`); o=${s[2]}%; Ps "CPU usage by process \"$s\" with UID ${s[1]}"; }; s=(`top -R -l1 -n1 -o prt -stats command,uid,prt | sed '$!d'`); s[2]=${s[2]%[+-]}; o=$((s[2]>=25000?s[2]:0)); Ps "Mach ports used by process \"$s\" with UID ${s[1]}"; o=`kextstat -kl | grep -v com\\.apple | cut -c53- | cut -d\< -f1`; Pm "Loaded extrinsic kernel extensions"; R && o=`sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix\.cron)|org\.(amav|apac|calendarse|cups|dove|isc|ntp|post[fg]|x)/{print $3}'`; Pm "Extrinsic system jobs"; o=`launchctl list | sed 1d | awk '!/0x|com\.apple|org\.(x|openbsd)|\.[0-9]+$/{print $3}'`; Pm "Extrinsic agents"; o=`for d in {/,}L*/Lau*; do M; done | grep -v com\.apple\.CSConfig | while read f; do ID=$($PB\ :Label "$f") || ID="No job label"; printf "$Fb" "$f" "$ID"; done`; Pm "launchd items"; o=`for d in /{S*/,}L*/Star*; do M; done`; Pm "Startup items"; o=`find -L /S*/L*/E* {/,}L*/{A*d,Compon,Ex,In,Keyb,Mail/B,P*P,Qu*T,Scripti,Servi,Spo}* -type d -name Contents -prune | while read d; do ID=$($PB\ :CFBundleIdentifier "$d/Info.plist") || ID="No bundle ID"; [[ "$ID" =~ ^com\.apple\.[^x]|Accusys|ArcMSR|ATTO|HDPro|HighPoint|driver\.stex|hp-fax|\.hpio|JMicron|microsoft\.MDI|print|SoftRAID ]] || printf "$Fb" "${d%/Contents}" "$ID"; done`; Pm "Extrinsic loadable bundles"; o=`find -L /u*/{,*/}lib -type f | while read f; do file -b "$f" | grep -qw shared && ! codesign -v "$f" && echo $f; done`; Pm "Unsigned shared libraries"; o=`for e in DYLD_INSERT_LIBRARIES DYLD_LIBRARY_PATH; do launchctl getenv $e; done`; Pm "Environment"; o=`find -L {,/u*/lo*}/e*/periodic -type f -mtime -10d`; Pm "Modified periodic scripts"; o=`scutil --proxy | grep Prox`; Pm "Proxies"; o=`scutil --dns | awk '/r\[0\] /{if ($NF !~ /^1(0|72\.(1[6-9]|2[0-9]|3[0-1])|92\.168)\./) print $NF; exit}'`; Ps "DNS"; R && o=`sudo profiles -P | grep : | wc -l`; Ps "Profiles"; f=auto_master; [[ `md5 -q /etc/$f` =~ ^b166 ]] || Pc $f /etc/$f; for f in fstab sysctl.conf crontab launchd.conf; do Pc $f /etc/$f; done; Pc "hosts" <(grep -v 'host *$' /etc/hosts); Pc "User launchd" ~/.launchd*; R && Pc "Root crontab" <(sudo crontab -l); Pc "User crontab" <(crontab -l); R && o=`sudo defaults read com.apple.loginwindow LoginHook`; Pm "Login hook"; Pp "Global login items" /L*/P*/loginw* Path; Pp "User login items" L*/P*/*loginit* Name; Pp "Safari extensions" L*/Saf*/*/E*.plist Bundle | sed 's/\..*$//;s/-[1-9]$//'; o=`find ~ $TMPDIR.. \( -flags +sappnd,schg,uappnd,uchg -o ! -user $UID -o ! -perm -600 \) | wc -l`; Ps "Restricted user files"; cd; o=`SP Fonts | egrep "Valid: N|Duplicate: Y" | wc -l`; Ps "Font problems"; o=`find L*/{Con,Pref}* -type f ! -size 0 -name *.plist | while read f; do plutil -s "$f" >&- || echo $f; done`; Pm "Bad plists"; d=(Desktop L*/Keyc*); n=(20 7); for i in 0 1; do o=`find "${d[$i]}" -type f -maxdepth 1 | wc -l`; o=$((o<=n[$i]?0:o)); Ps "${d[$i]##*/} file count"; done; o=$((`date +%s`-t)); Ps "Elapsed time (s)"; } 2>/dev/null | pbcopy; exit 2>&-

Copy the selected text to the Clipboard by pressing the key combination command-C.

7. Launch the built-in Terminal application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.

When you launch Terminal, a text window will open with a line already in it, ending either in a dollar sign ($) or a percent sign (%). If you get the percent sign, enter

exec bash

in the window and press return. You should then get a new line ending in a dollar sign.

Click anywhere in the Terminal window and paste (command-V). The text you pasted should vanish immediately. If it doesn't, press the return key.


If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. In most cases, the difference is not important. If you don't know your password, or if you prefer not to enter it, just press return three times at the password prompt.

If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.

The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, there will be nothing in the Terminal window and no indication of progress. Wait for the line "[Process completed]" to appear. If you don't see it within half an hour or so, the test probably won't complete in a reasonable time. In that case, close the Terminal window and report your results. No harm will be done.

8. When the test is complete, quit Terminal. The results will have been copied to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.

If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.

When you post the results, you might see the message, "You have included content in your post that is not permitted." It means that the forum software has misidentified something in the post as a violation of the rules. If it happens, please post the test results on Pastebin, then post a link here to the page you created.

Note: This is a public forum, and others may give you advice based on the results of the test. They speak only for themselves, and I don't necessarily agree with them.


________________________________

Copyright © 2014 Linc Davis. As the sole author of this work, I reserve all rights to it except as provided in the Terms of Use of Apple Support Communities ("ASC"). Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

Feb 8, 2014 1:39 AM in response to Krirkfah

>> When message showed from Dr.web,I clicked "Cure". In about 1 minute,It showed the red cross (look at image1).


It seems to show that when unable to remove an item due to it being locked or not having permissions to do so. It has seemingly removed most of that hidden app, since it says '0 bytes'


As MadMacs0 has said, you're running out of space, did you run omnidisksweeper to see where these files are?.

Feb 8, 2014 6:56 AM in response to Krirkfah

Okay, things are definitely not looking good. You have a hidden folder in your home folder containing a suspicious app. It's the executable portion of that app that was identified as malicious. I wish I knew where it came from or how it got there!


Unfortunately, this malware is known to be able to download and install other components, such as a keylogger. Further, this is a newer variant than the one that I'm familiar with, so it very well may include some kind of backdoor that allows the hackers behind it to make custom modifications to your machine remotely. At this point, I truly wouldn't recommend anything less than erasing the hard drive completely and reinstalling everything from scratch:


How to reinstall Mac OS X from scratch


It is always possible that this is a false positive. I would think this is unlikely, since the app in question is inside an invisible folder named ".Install" - this is a very common malware trick. I personally would not take the risk.

Trojan BackDoor.Wirenet.2

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.