Krirkfah

Q: Trojan BackDoor.Wirenet.2

Help me please! My macbook pro late 2013 has infected trojan (BackDoor.Wirenet.2). How to remove it.

MacBook Pro with Retina display, OS X Mavericks (10.9.1)

Posted on Feb 6, 2014 11:00 AM

Close

Q: Trojan BackDoor.Wirenet.2

  • All replies
  • Helpful answers

Previous Page 2
  • by thomas_r.,

    thomas_r. thomas_r. Feb 8, 2014 6:56 AM in response to Krirkfah
    Level 7 (30,924 points)
    Mac OS X
    Feb 8, 2014 6:56 AM in response to Krirkfah

    Okay, things are definitely not looking good. You have a hidden folder in your home folder containing a suspicious app. It's the executable portion of that app that was identified as malicious. I wish I knew where it came from or how it got there!

     

    Unfortunately, this malware is known to be able to download and install other components, such as a keylogger. Further, this is a newer variant than the one that I'm familiar with, so it very well may include some kind of backdoor that allows the hackers behind it to make custom modifications to your machine remotely. At this point, I truly wouldn't recommend anything less than erasing the hard drive completely and reinstalling everything from scratch:

     

    How to reinstall Mac OS X from scratch

     

    It is always possible that this is a false positive. I would think this is unlikely, since the app in question is inside an invisible folder named ".Install" - this is a very common malware trick. I personally would not take the risk.

  • by lytic,

    lytic lytic Feb 10, 2014 3:42 AM in response to Krirkfah
    Level 1 (5 points)
    Feb 10, 2014 3:42 AM in response to Krirkfah

    hi, I am malware analyst at Dr.Web. Full disk is our innovation cure method "fill disk and malware stop work!". Just joking. Sorry, but problem with full disk probably is our fault. Anyway you should ask developers on forum http://forum.drweb.com/index.php?showforum=51

  • by thomas_r.,

    thomas_r. thomas_r. Feb 10, 2014 5:25 AM in response to lytic
    Level 7 (30,924 points)
    Mac OS X
    Feb 10, 2014 5:25 AM in response to lytic

    hi, I am malware analyst at Dr.Web.

     

    Can you provide any additional comments regarding the malware? I'm not familiar with this variant of Wirenet, so I don't know how it got installed or whether it actually contains a backdoor that would allow for additional installs or system modifications.

  • by lytic,

    lytic lytic Feb 11, 2014 9:41 AM in response to thomas_r.
    Level 1 (5 points)
    Feb 11, 2014 9:41 AM in response to thomas_r.

    There is similar file on torents "MS Office 2011 Volume license.rar" size about 107KB.

  • by Krirkfah,

    Krirkfah Krirkfah Feb 13, 2014 1:03 AM in response to thomas_r.
    Level 1 (4 points)
    Mac OS X
    Feb 13, 2014 1:03 AM in response to thomas_r.

    Thank you for your comments. I fixed it by shutdown my Mac. After I had turned on again,"Other" space was recoverable. When I scaned malware by Dr.web, it didn't have any malware and my Mac is normal. Consequently, I think OS X Mavericks laged to read space.

  • by Krirkfah,

    Krirkfah Krirkfah Feb 13, 2014 1:04 AM in response to andyBall_uk
    Level 1 (4 points)
    Mac OS X
    Feb 13, 2014 1:04 AM in response to andyBall_uk

    Thank you for your comments.

  • by Krirkfah,

    Krirkfah Krirkfah Feb 13, 2014 1:08 AM in response to Linc Davis
    Level 1 (4 points)
    Mac OS X
    Feb 13, 2014 1:08 AM in response to Linc Davis

    Thanks for your comments.

  • by Krirkfah,

    Krirkfah Krirkfah Feb 13, 2014 1:08 AM in response to MadMacs0
    Level 1 (4 points)
    Mac OS X
    Feb 13, 2014 1:08 AM in response to MadMacs0

    Thanks.

  • by nikdgr,

    nikdgr nikdgr Feb 15, 2014 1:25 AM in response to Linc Davis
    Level 1 (0 points)
    Feb 15, 2014 1:25 AM in response to Linc Davis

    I was recently reviewing your comments.  I was told my MacBook Pro was compromised by a colleague, using brute force to enter a backdor allowing rootkit access and administraion rights. I believe if I use the time machine backup files I will end up having these rights reinstated when uploading the backup.

    But First, I would like your opinion concerning the following information collected, and what course of action I should proceed with for removing and securing in the event there is substantial imformation from MacBook Pro LOG following my comments.

     

    Thank you for any support

     

     

    Boot Mode: Normal

     

     

    USB

     

     

       Hub (SMSC)

       Hub (SMSC)

     

     

    System diagnostics

     

     

       Preview 2014-01-28-003447 hang

       SecurityAgent 2014-01-30-141803 crash

       SecurityAgent 2014-01-30-141811 crash

       SecurityAgent 2014-01-30-141949 crash

       SecurityAgent 2014-01-30-142226 crash

       SecurityAgent 2014-01-30-142411 crash

       SecurityAgent 2014-01-30-142519 crash

     

     

    User diagnostics

     

     

       cider 2014-01-26-234202 crash

     

     

    Extrinsic system jobs

     

     

       com.microsoft.office.licensing.helper

     

     

    launchd items

     

     

       /Library/LaunchDaemons/com.microsoft.office.licensing.helper.plist

                 (com.microsoft.office.licensing.helper)

       Library/LaunchAgents/com.apple.FolderActions.enabled.plist

                 (com.apple.FolderActions.enabled)

       Library/LaunchAgents/com.apple.FolderActions.folders.plist

                 (com.apple.FolderActions.folders)

     

     

    Extrinsic loadable bundles

     

     

       /System/Library/Extensions/HuaweiDataCardDriver.kext

                 (com.huawei.driver.HuaweiDataCardDriver)

       /Library/Internet Plug-Ins/Flash Player.plugin

                 (com.macromedia.Flash Player.plugin)

       /Library/Internet Plug-Ins/SharePointBrowserPlugin.plugin

                 (com.microsoft.sharepoint.browserplugin)

       /Library/Internet Plug-Ins/SharePointWebKitPlugin.webplugin

                 (com.microsoft.sharepoint.webkitplugin)

       /Library/PreferencePanes/Flash Player.prefPane

                 (com.adobe.flashplayerpreferences)

       /Library/Spotlight/LogicPro.mdimporter

                 (No bundle ID)

     

     

    Unsigned shared libraries

     

     

       /usr/lib/bkLib.dylib

       /usr/lib/lib6200Lib.dylib

       /usr/lib/lib6246Lib.dylib

       /usr/lib/lib6270Lib.dylib

       /usr/lib/lib7225lib.dylib

       /usr/lib/lib8200Alib.dylib

       /usr/lib/lib8200lib.dylib

       /usr/lib/lib8220lib.dylib

       /usr/lib/libAgent.dylib

       /usr/lib/libcurl.zte.dylib

       /usr/lib/libIceraDownloadLib.dylib

       /usr/lib/libmd5.dylib

       /usr/lib/libTinyXml.dylib

     

     

    Restricted user files: 317

     

     

    Font problems: 40

     

     

    Elapsed time (s): 213

  • by MadMacs0,

    MadMacs0 MadMacs0 Feb 15, 2014 2:47 AM in response to nikdgr
    Level 5 (4,791 points)
    Feb 15, 2014 2:47 AM in response to nikdgr

    nikdgr wrote:

     

    I was told my MacBook Pro was compromised by a colleague, using brute force to enter a backdor allowing rootkit access and administraion rights.

    Linc will probably be along shortly (although he doesn't always respond to "me too" requests), but I for one would like to know a lot more about how this was accomplished.

     

    By brute force do you mean someone had physical access to your computer and installed this backdoor? That's normally the only way that sort of thing can happen unless your software is way out-of-date or something new is lurking about. And I'm assuming you meant "root" access, since rootkits are malware attacks.  It would be helpful if your colleague could provide specific details on how this was accomplished and any malware found on your computer.

     

    It also sounds like a law or two was broken here and you should be contacting appropriate authorities to both find the perpetrator and determine what information has been compromised, before you attempt anything such as restoration from backup.

  • by thomas_r.,

    thomas_r. thomas_r. Feb 15, 2014 4:09 AM in response to nikdgr
    Level 7 (30,924 points)
    Mac OS X
    Feb 15, 2014 4:09 AM in response to nikdgr

    I was told my MacBook Pro was compromised by a colleague

     

    I would strongly recommend you start your own topic, since it's very unlikely that the Wirenet malware is involved in your case.

     

    One thing I will say here, though, is that if a colleague has had physical access to your machine, and if you have good reason to believe that this colleague has done something malicious to your computer, there is only one reasonable solution: erase the hard drive and reinstall everything from scratch. There is no reliable method for detecting and removing whatever your colleague might have done, especially since it may not have involved any kind of malware at all, but just reconfiguration of built-in system components or already installed third-party software.

  • by thomas_r.,

    thomas_r. thomas_r. Mar 29, 2014 6:54 AM in response to Krirkfah
    Level 7 (30,924 points)
    Mac OS X
    Mar 29, 2014 6:54 AM in response to Krirkfah

    I don't know how, or if, you resolved this situation, but I just thought you deserved to know that you should be protected from this malware in the future. Apple updated XProtect yesterday, and now it blocks the samples of Wirenet.2 that I submitted to them on Thursday.

     

    New NetWeird variants added to XProtect

Previous Page 2