Trojan BackDoor.Wirenet.2

What, or what application, has made you think that your Mac is infected with anything ?.

OS X Mavericks: Increase disk space

OS X: What is "other" space in About This Mac?

You may find OmniDiskSweeper useful to see exactly what takes the space currently.

Dr Web presumably shows the name & location of the file(s) in question - you might provide that here, to 1: check that it's not a false positive & is safe to remove, and 2: see if it's likely to have been active.

VirusBarrier Express may be helpful to confirm the report & filename/location. If you use it, update the definitions first.

In any case, don't allow removal unless you're sure it's safe to do so, and the file in question isn't part of a Mail message.

>>...it did not appear files which is in the location (/Users/Krirkfah/.Install/keygen.app/Contents/MacOS).

That's because OS X usually hides files & folders that start with a . like .Install in your case.

Unfortunately, this is something that is actually Mac malware. Wirenet, aka NetWeird, is described here:

http://news.drweb.com/show/?i=2679&lng=en

It is possible that you have somehow been infected by a more recent variant of this malware. What file does Dr. Web identify as being infected? In Dr. Web, click the Threats icon in the window's toolbar and look at the BackDoor.Wirenet.2 item. There will be a little right-pointing arrow in a circle next to a filename... click that. See the image below:

This will open a transparent overlay window containing the details. You will probably need to enlarge that window to see the full file path. What is the full path shown next to the Location label. Here's an example:

As you can see, the sample that I scanned to take these screenshots is a trojan app named "Nude pics.app". That does not mean that this is what you will see, especially since you're seeing variant 2 of the malware, instead of variant 1. Report back here with whatever path you see there.

You may find that Omnidisksweeper shows large amounts of files created or downloaded by this application (perhaps logs of your activity, or even illegally downloaded movie files to be shared with others without your knowledge).

In any case, I would either revert to a backup that you know is from before this began, or after backing up now, erase & reinstall OS X, manually importing only those things that you know to be safe.

I don't think that's possible. At least, the last time I tried posting a screenshot on these forums from my iPad, it wasn't possible. I have no reason to believe that has changed.

If you are reluctant to post from your Mac, you could copy screenshots to another computer and post from there. Alternately, you could post them somewhere like Dropbox from your iPad, and then post a link to them here.

But really, you could just re-type the path to the file in question in a post here, if you can't post a screenshot.

Here's a summary of what you need to do, if you choose to proceed: Copy a line of text from this web page into the window of another application. Wait for the script to run. It usually takes a couple of minutes. Then paste the results, which will have been copied automatically, back into a reply on this page. The sequence is: copy, paste, wait, paste again. Details follow.

4. You may have started the computer in "safe" mode. Preferably, these steps should be taken in “normal” mode. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual. If you can only test in safe mode, do that.

5. If you have more than one user, and the one affected by the problem is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply.

6. The script is a single long line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, though you may not see all of it in your browser, and you can then copy it. If you try to select the line by dragging across the part you can see, you won't get all of it.

Triple-click anywhere in the line of text below on this page to select it:

PATH=/usr/bin:/bin:/usr/sbin:/sbin; clear; Fb='%s\n\t(%s)\n'; Fm='\n%s\n\n%s\n'; Fr='\nRAM details\n%s\n'; Fs='\n%s: %s\n'; Fu='user %s%%, system %s%%'; PB="/usr/libexec/PlistBuddy -c Print"; A () { [[ a -eq 0 ]]; }; M () { find -L "$d" -type f | while read f; do file -b "$f" | egrep -lq XML\|exec && echo $f; done; }; Pc () { o=`grep -v '^ *#' "$2"`; Pm "$1"; }; Pm () { [[ "$o" ]] && o=`sed '/^ *$/d; s/^ */ /' <<< "$o"` && printf "$Fm" "$1" "$o"; }; Pp () { o=`$PB "$2" | awk -F'= ' \/$3'/{print $2}'`; Pm "$1"; }; Ps () { o=`echo $o`; [[ ! "$o" =~ ^0?$ ]] && printf "$Fs" "$1" "$o"; }; R () { o=; [[ r -eq 0 ]]; }; SP () { system_profiler SP${1}DataType; }; id | grep -qw '80(admin)'; a=$?; A && sudo true; r=$?; t=`date +%s`; clear; { A || echo $'No admin access\n'; A && ! R && echo $'No root access\n'; SP Software | sed '8!d;s/^ *//'; o=`SP Hardware | awk '/Mem/{print $2}'`; o=$((o<4?o:0)); Ps "Total RAM (GB)"; o=`SP Memory | sed '1,5d; /[my].*:/d'`; [[ "$o" =~ s:\ [^O]|x([^08]||0[^2]8[^0]) ]] && printf "$Fr" "$o"; o=`SP Diagnostics | sed '5,6!d'`; [[ "$o" =~ Pass ]] || Pm "POST"; for b in Thunderbolt USB; do o=`SP $b | sed -n '1d; /:$/{s/ *:$//;x;s/\n//p;}; /^ *V.* [0N].* /{s/ 0x.... //;s/[()]//g;s/\(.*: \)\(.*\)/ \(\2\)/;H;}; /Apple/{s/.//g;h;}'`; Pm $b; done; o=`pmset -g therm | sed 's/^.*C/C/'`; [[ "$o" =~ No\ th|pms ]] && o=; Pm "Thermal conditions"; o=`pmset -g sysload | grep -v :`; [[ "$o" =~ =\ [^GO] ]] || o=; Pm "System load advisory"; o=`nvram boot-args | awk '{$1=""; print}'`; Ps "boot-args"; d=(/ ""); D=(System User); E=; for i in 0 1; do o=`cd ${d[$i]}L*/L*/Dia* || continue; ls | while read f; do [[ "$f" =~ h$ ]] && grep -lq "^Thread c" "$f" && e=" *" || e=; awk -F_ '!/ag$/{$NF=a[split($NF,a,".")]; print $0 "'"$e"'"}' <<< "$f"; done | tail`; Pm "${D[$i]} diagnostics"; done; [[ "$o" =~ \*$ ]] && printf $'\n* Code injection\n'; o=`syslog -F bsd -k Sender kernel -k Message CReq 'GPU |hfs: Ru|I/O e|n Cause: -|NVDA\(|pagin|SATA W|ssert|timed? ?o' | tail -n25 | awk '/:/{$4=""; $5=""};1'`; Pm "Kernel messages"; o=`df -m / | awk 'NR==2 {print $4}'`; o=$((o<5120?o:0)); Ps "Free space (MiB)"; o=$(($(vm_stat | awk '/eo/{sub("\\.",""); print $2}')/256)); o=$((o>=1024?o:0)); Ps "Pageouts (MiB)"; s=( `sar -u 1 10 | sed '$!d'` ); [[ s[4] -lt 85 ]] && o=`printf "$Fu" ${s[1]} ${s[3]}` || o=; Ps "Total CPU usage" && { s=(`ps acrx -o comm,ruid,%cpu | sed '2!d'`); o=${s[2]}%; Ps "CPU usage by process \"$s\" with UID ${s[1]}"; }; s=(`top -R -l1 -n1 -o prt -stats command,uid,prt | sed '$!d'`); s[2]=${s[2]%[+-]}; o=$((s[2]>=25000?s[2]:0)); Ps "Mach ports used by process \"$s\" with UID ${s[1]}"; o=`kextstat -kl | grep -v com\\.apple | cut -c53- | cut -d\< -f1`; Pm "Loaded extrinsic kernel extensions"; R && o=`sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix\.cron)|org\.(amav|apac|calendarse|cups|dove|isc|ntp|post[fg]|x)/{print $3}'`; Pm "Extrinsic system jobs"; o=`launchctl list | sed 1d | awk '!/0x|com\.apple|org\.(x|openbsd)|\.[0-9]+$/{print $3}'`; Pm "Extrinsic agents"; o=`for d in {/,}L*/Lau*; do M; done | grep -v com\.apple\.CSConfig | while read f; do ID=$($PB\ :Label "$f") || ID="No job label"; printf "$Fb" "$f" "$ID"; done`; Pm "launchd items"; o=`for d in /{S*/,}L*/Star*; do M; done`; Pm "Startup items"; o=`find -L /S*/L*/E* {/,}L*/{A*d,Compon,Ex,In,Keyb,Mail/B,P*P,Qu*T,Scripti,Servi,Spo}* -type d -name Contents -prune | while read d; do ID=$($PB\ :CFBundleIdentifier "$d/Info.plist") || ID="No bundle ID"; [[ "$ID" =~ ^com\.apple\.[^x]|Accusys|ArcMSR|ATTO|HDPro|HighPoint|driver\.stex|hp-fax|\.hpio|JMicron|microsoft\.MDI|print|SoftRAID ]] || printf "$Fb" "${d%/Contents}" "$ID"; done`; Pm "Extrinsic loadable bundles"; o=`find -L /u*/{,*/}lib -type f | while read f; do file -b "$f" | grep -qw shared && ! codesign -v "$f" && echo $f; done`; Pm "Unsigned shared libraries"; o=`for e in DYLD_INSERT_LIBRARIES DYLD_LIBRARY_PATH; do launchctl getenv $e; done`; Pm "Environment"; o=`find -L {,/u*/lo*}/e*/periodic -type f -mtime -10d`; Pm "Modified periodic scripts"; o=`scutil --proxy | grep Prox`; Pm "Proxies"; o=`scutil --dns | awk '/r\[0\] /{if ($NF !~ /^1(0|72\.(1[6-9]|2[0-9]|3[0-1])|92\.168)\./) print $NF; exit}'`; Ps "DNS"; R && o=`sudo profiles -P | grep : | wc -l`; Ps "Profiles"; f=auto_master; [[ `md5 -q /etc/$f` =~ ^b166 ]] || Pc $f /etc/$f; for f in fstab sysctl.conf crontab launchd.conf; do Pc $f /etc/$f; done; Pc "hosts" <(grep -v 'host *$' /etc/hosts); Pc "User launchd" ~/.launchd*; R && Pc "Root crontab" <(sudo crontab -l); Pc "User crontab" <(crontab -l); R && o=`sudo defaults read com.apple.loginwindow LoginHook`; Pm "Login hook"; Pp "Global login items" /L*/P*/loginw* Path; Pp "User login items" L*/P*/*loginit* Name; Pp "Safari extensions" L*/Saf*/*/E*.plist Bundle | sed 's/\..*$//;s/-[1-9]$//'; o=`find ~ $TMPDIR.. \( -flags +sappnd,schg,uappnd,uchg -o ! -user $UID -o ! -perm -600 \) | wc -l`; Ps "Restricted user files"; cd; o=`SP Fonts | egrep "Valid: N|Duplicate: Y" | wc -l`; Ps "Font problems"; o=`find L*/{Con,Pref}* -type f ! -size 0 -name *.plist | while read f; do plutil -s "$f" >&- || echo $f; done`; Pm "Bad plists"; d=(Desktop L*/Keyc*); n=(20 7); for i in 0 1; do o=`find "${d[$i]}" -type f -maxdepth 1 | wc -l`; o=$((o<=n[$i]?0:o)); Ps "${d[$i]##*/} file count"; done; o=$((`date +%s`-t)); Ps "Elapsed time (s)"; } 2>/dev/null | pbcopy; exit 2>&-

exec bash

If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. In most cases, the difference is not important. If you don't know your password, or if you prefer not to enter it, just press return three times at the password prompt.

If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.

The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, there will be nothing in the Terminal window and no indication of progress. Wait for the line "[Process completed]" to appear. If you don't see it within half an hour or so, the test probably won't complete in a reasonable time. In that case, close the Terminal window and report your results. No harm will be done.

8. When the test is complete, quit Terminal. The results will have been copied to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.

If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.

When you post the results, you might see the message, "You have included content in your post that is not permitted." It means that the forum software has misidentified something in the post as a violation of the rules. If it happens, please post the test results on Pastebin, then post a link here to the page you created.

Note: This is a public forum, and others may give you advice based on the results of the test. They speak only for themselves, and I don't necessarily agree with them.

________________________________

Krirkfah wrote:

What does "LibClamAV Error" mean?

I believe it means that there wasn't sufficient room on your hard drive to create a temporary file for analysis.

>> When message showed from Dr.web,I clicked "Cure". In about 1 minute,It showed the red cross (look at image1).

It seems to show that when unable to remove an item due to it being locked or not having permissions to do so. It has seemingly removed most of that hidden app, since it says '0 bytes'

As MadMacs0 has said, you're running out of space, did you run omnidisksweeper to see where these files are?.

Okay, things are definitely not looking good. You have a hidden folder in your home folder containing a suspicious app. It's the executable portion of that app that was identified as malicious. I wish I knew where it came from or how it got there!

Unfortunately, this malware is known to be able to download and install other components, such as a keylogger. Further, this is a newer variant than the one that I'm familiar with, so it very well may include some kind of backdoor that allows the hackers behind it to make custom modifications to your machine remotely. At this point, I truly wouldn't recommend anything less than erasing the hard drive completely and reinstalling everything from scratch:

How to reinstall Mac OS X from scratch

It is always possible that this is a false positive. I would think this is unlikely, since the app in question is inside an invisible folder named ".Install" - this is a very common malware trick. I personally would not take the risk.