Do we have any official/semi-official answer yet on how to detect/remove this malware?
MacBook Air (13-inch, Early 2014), OS X Mavericks (10.9.5)
Thomas Reed has some info on it here. It's so new, there's no known way to completely remove it if it's on your system since the one known folder isn't necessarily the only piece of it on a drive.
maestroarts wrote:
Do we have any official/semi-official answer yet on how to detect/remove this malware?
Very little. Have not even been able to find anybody that has it, nobody seems to know where it comes from and only the executable files have been found, apparently not including the downloader Apple needs to come up with a signature for it.
With only 17,000 infected computers, it's highly unlikely you are one of them.
Intego and Dr. Web say they can remove it.
Look for this directory: /Library/Applications Support/JavaW/. If you find it, move it to your trash can and come back so I can tell you a couple of other things to look for.
iWorm is not really new, known since 2009.
https://securelist.social-kaspersky.com/en/descriptions/iframe/Backdoor.OSX.iWor m.c
http://malware.wikia.com/wiki/OSX.iWorm
On a Belgium computer forum is mentioned that
Illegal software from the pirate bay is a possible cause ➽ read post #2.
I just found this: Roll-your-own Defense Against Mac.Backdor.iWorm:
Raicya wrote:
iWorm is not really new, known since 2009.
No, this is something very different. It bears resemblance to the old iService malware in many ways, but installs it's files in very different places, establish outgoing communications in a unique manner and sets it up as a botnet.
See Dr. Web announces new “iWorm” malware for most of what we know about this so far.
Apple is in the process of updating XProtect for OSX.iWorm.A, OSX.iWorm.B, & OSX.iWorm.C.
Mountain Lion and above are version 2050, Lion version 1060 and Snow Leopard version 75.
You should be receiving the update within the next 24-hours.
Hi. Is it worth setting up Folder Actions as in the page at the link you provided?
Also, are there Network Actions so that users can be alerted if an outgoing connection is established outside of system software like Safari?
Thank you.
tngn wrote:
Is it worth setting up Folder Actions as in the page at the link you provided?
I don't know your circumstances, but I would guess no. XProtect and GateKeeper should provide adequate protection now against future infection from iWorm as long as you don't disable it, if iWorm actually still exists anywhere today. AFAIK, all the active sources of this malware have been shut down.
are there Network Actions so that users can be alerted if an outgoing connection is established outside of system software like Safari?
Not provided by OS X. You would have to invest in something like Litte Snitch or Hands Off or an A-V software suite that provides such a firewall. A better alternative is to simply stay away from sketchy sites that distribute unlicensed media and software. That's the only place where iWorm was ever found.
Mac.BackDoor.iWorm
