mac.backdoor.iworm

Question

Level 1

50 points

mac.backdoor.iworm

I have it and got rid of at least what I could ... the "JavaW" Folder and File inside... I don't know what other parts are lingering.... hopefully I'll find out what and where and will pass on what I learn... nothing seems to have been affected except Internet Browsing sometimes gets stuck on stupid and Apple Mail I have a ton of Junk Mail pouring in non-stop and it seems impossible to get rid of it all even after Deleting them all, they just keep pouring in like a big hole in a dam.

Robert ~ MacAwesome88

MacBook Pro, OS X Mavericks (10.9.2), MacBook Pro 15 Mid 2012 2.3Ghz,

Posted on Oct 3, 2014 2:45 PM

Reply

Answer 1

babowa

Level 9

78,429 points

Oct 3, 2014 3:01 PM in response to MacAwesome88

Have a read here:

http://www.thesafemac.com/dr-web-announces-new-iworm-malware/

Reply

Answer 2

Linc Davis

Level 10

209,649 points

Oct 3, 2014 4:09 PM in response to MacAwesome88

Do you know where you downloaded it? From a web page, or a torrent? Also see below.

1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.

Don't be put off by the complexity of these instructions. The process is much less complicated than the description. You do harder tasks with the computer all the time.

2. If you don't already have a current backup, back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.

There are ways to back up a computer that isn't fully functional. Ask if you need guidance.

3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.

You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.

In this case, however, there are a couple of ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone with the necessary skill can verify what it does.

You may not be able to understand the script yourself. But variations of the script have been posted on this website thousands of times over a period of years. The site is hosted by Apple, which does not allow it to be used to distribute harmful software. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message.

Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.

4. Here's a summary of what you need to do, if you choose to proceed:

☞ Copy a line of text in this window to the Clipboard.

☞ Paste into the window of another application.

☞ Wait for the test to run. It usually takes a few minutes.

☞ Paste the results, which will have been copied automatically, back into a reply on this page.

The sequence is: copy, paste, wait, paste again. You don't need to copy a second time. Details follow.

5. You may have started the computer in "safe" mode. Preferably, these steps should be taken in “normal” mode, under the conditions in which the problem is reproduced. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual. If you can only test in safe mode, do that.

6. If you have more than one user, and the one affected by the problem is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.

7. The script is a single long line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, though you may not see all of it in the browser window, and you can then copy it. If you try to select the line by dragging across the part you can see, you won't get all of it.

Triple-click anywhere in the line of text below on this page to select it:

PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/libexec;clear;cd;p=(Software Hardware Memory Diagnostics Power FireWire Thunderbolt USB Fonts SerialATA 4 1000 25 5120 KiB/s 1024 85 \\b%% 20480 1 MB/s 25000 ports ' com.clark.\* \*dropbox \*genieo\* \*GoogleDr\* \*k.AutoCAD\* \*k.Maya\* vidinst\* ' DYLD_INSERT_LIBRARIES\ DYLD_LIBRARY_PATH -86 "` route -n get default|awk '/e:/{print $2}' `" 25 N\\/A down up 102400 25600 recvfrom sendto CFBundleIdentifier 25 25 25 1000 MB com.apple.AirPortBaseStationAgent 464843899 51 5120 files );N5=${#p[@]};p[N5]=` networksetup -listnetworkserviceorder|awk ' NR>1 { sub(/^$[0-9]+$ /,"");n=$0;getline;} $NF=="'${p[26]}')" { sub(/.$/,"",$NF);print n;exit;} ' `;f=('\n%s: %s\n' '\n%s\n\n%s\n' '\nRAM details\n%s\n' %s\ %s '%s\n-\t%s\n' );S0() { echo ' { q=$NF+0;$NF="";u=$(NF-1);$(NF-1)="";gsub(/^ +| +$/,"");if(q>='${p[$1]}') printf("%s (UID %s) is using %s '${p[$2]}'",$0,u,q);} ';};s=(' /^ *$|CSConfigDot/d;s/^ */ /;s/[-0-9A-Fa-f]{22,}/UUID/g;s/(ochat)\.[^.]+(\..+)/\1\2/;/Shared/!s/\/Users\/[^/]+/~/g ' ' s/^ +//;/de: S|[nst]:/p;' ' {sub(/^ +/,"")};/er:/;/y:/&&$2<'${p[10]} ' 1s/://;3,6d;/[my].+:/d;s/^ {4}//;H;${ g;s/\n$//;/s: [^EO]|x([^08]|02[^F]|8[^0])/p;} ' ' 5h;6{ H;g;/P/!p;} ' ' ($1~/^Cy/&&$3>'${p[11]}')||($1~/^Cond/&&$2!~/^N/) ' ' /:$/{ N;/:.+:/d;s/ *://;b0'$'\n'' };/^ *(V.+ [0N]|Man).+ /{ s/ 0x.... //;s/[()]//g;s/(.+: )(.+)/ (\2)/;H;};$b0'$'\n'' d;:0'$'\n'' x;s/\n\n//;/Apple[ ,]|Genesy|Intel|SMSC/d;s/\n.*//;/\)$/p;' ' s/^.*C/C/;H;${ g;/No th|pms/!p;} ' '/= [^GO]/p' '{$1=""};1' ' /Of/!{ s/^.+is |\.//g;p;} ' ' $0&&!/ / { n++;print;} END { if(n<200) print "com.apple.";} ' ' $3~/[0-9]:[0-9]{2}$/ { gsub(/:[0-9:a-f]{14}/,"");} { print|"tail -n'${p[12]}'";} ' ' NR==2&&$4<='${p[13]}' { print $4;} ' ' END { $2/=256;if($2>='${p[15]}') print int($2) } ' ' NR!=13{next};{sub(/[+-]$/,"",$NF)};'"`S0 21 22`" 'NR!=2{next}'"`S0 37 17`" ' NR!=5||$8!~/[RW]/{next};{ $(NF-1)=$1;$NF=int($NF/10000000);for(i=1;i<=3;i++){$i="";$(NF-1-i)="";};};'"`S0 19 20`" 's:^:/:p' '/\.kext\/(Contents\/)?Info\.plist$/p' 's/^.{52}(.+) <.+/\1/p' ' /Launch[AD].+\.plist$/ { n++;print;} END { print "'${p[41]}'";if(n<200) print "/System/";} ' '/\.xpc\/(Contents\/)?Info\.plist$/p' ' NR>1&&!/0x|\.[0-9]+$|com\.apple\.launchctl\.(Aqua|Background|System)$|'${p[41]}'/ { print $3;} ' ' /\.(framew|lproj)|\):/d;/plist:|:.+(Mach|scrip)/s/:[^:]+//p ' '/^root$/p' ' !/\/Contents\/.+\/Contents|Applic|Autom|Frameworks/&&/Lib.+\/Info.plist$/ { n++;print;} END { if(n<1100) print "/System/";} ' '/^\/usr\/lib\/.+dylib$/p' ' /Temp|emac/{next};/(etc|Preferences|Launch[AD].+)\// { sub(".(/private)?","");n++;print;} END { print "'${p[41]}'.plist\t'${p[42]}'";if(n<500) print "Launch";} ' ' /\/(Contents\/.+\/Contents|Frameworks)\/|\.wdgt\/.+\.([bw]|plu)/d;p;' 's/\/(Contents\/)?Info.plist$//;p' ' { gsub("^| |\n","\\|\\|kMDItem'${p[35]}'=");sub("^...."," ") };1 ' p '{print $3"\t"$1}' 's/\'$'\t''.+//p' 's/1/On/p' '/Prox.+: [^0]/p' '$2>'${p[43]}'{$2=$2-1;print}' ' BEGIN { i="'${p[26]}'";M1='${p[16]}';M2='${p[18]}';M3='${p[31]}';M4='${p[32]}';} !/^A/{next};/%/ { getline;if($5<M1) a="user "$2"%, system "$4"%";} /disk0/&&$4>M2 { b=$3" ops/s, "$4" blocks/s";} $2==i { if(c) { d=$3+$4+$5+$6;next;};if($4>M3||$6>M4) c=int($4/1024)" in, "int($6/1024)" out";} END { if(a) print "CPU: "a;if(b) print "I/O: "b;if(c) print "Net: "c" (KiB/s)";if(d) print "Net errors: "d" packets/s";} ' ' /r\[0\] /&&$NF!~/^1(0|72\.(1[6-9]|2[0-9]|3[0-1])|92\.168)\./ { print $NF;exit;} ' ' !/^T/ { printf "(static)";exit;} ' '/apsd|BKAg|OpenD/!s/:.+//p' ' (/k:/&&$3!~/(255\.){3}0/ )||(/v6:/&&$2!~/A/ ) ' ' $1~"lR"&&$2<='${p[25]}';$1~"li"&&$3!~"wpa2";' ' BEGIN { FS=":";p="uniq -c|sed -E '"'s/ +\$[0-9]+\$\$.+\$/\\\2 x\\\1/;s/x1$//'"'";} { n=split($3,a,".");sub(/_2[01].+/,"",$3);print $2" "$3" "a[n]$1|p;b=b$1;} END { close(p);if(b) print("\n\t* Code injection");} ' ' NR!=4{next} {$NF/=10240} '"`S0 27 14`" ' END { if($3~/[0-9]/)print$3;} ' ' BEGIN { L='${p[36]}';} !/^[[:space:]]*(#.*)?$/ { l++;if(l<=L) f=f"\n "$0;} END { F=FILENAME;if(!F) exit;if(!f) f="\n [N/A]";"file -b "F|getline T;if(T!~/^(AS.+ (En.+ )?text$|(Bo|PO).+ sh.+ text ex)/) F=F" ("T")";printf("\nContents of %s\n%s\n",F,f);if(l>L) printf("\n ...and %s more line(s)\n",l-L);} ' ' s/^ ?n...://p;s/^ ?p...:/-'$'\t''/p;' 's/0/Off/p' ' END{print NR} ' ' /id: N|te: Y/{i++} END{print i} ' ' / / { print "'"${p[28]}"'";exit;};1;' '/ en/!s/\.//p' ' NR!=13{next};{sub(/[+-M]$/,"",$NF)};'"`S0 39 40`" ' $10~/\(L/&&$9!~"localhost" { sub(/.+:/,"",$9);print $1": "$9;} ' '/^ +r/s/.+"(.+)".+/\1/p' 's/(.+\.wdgt)\/(Contents\/)?Info\.plist$/\1/p' 's/^.+\/(.+)\.wdgt$/\1/p' ' /l: /{ /DVD/d;s/.+: //;b0'$'\n'' };/s: /{ /V/d;s/^ */- /;H;};$b0'$'\n'' d;:0'$'\n'' x;/APPLE [^:]+$/d;p;' ' /^find: /d;p;' "`S0 44 45`" ' BEGIN{FS="= "} /Path/{print $2} ' );c1=(system_profiler pmset\ -g nvram fdesetup find syslog df vm_stat sar ps sudo\ crontab sudo\ iotop top pkgutil 'PlistBuddy 2>&1 -c "Print' whoami cksum kextstat launchctl sudo\ launchctl crontab 'sudo defaults read' stat lsbom mdfind ' for i in ${p[24]};do ${c1[18]} ${c2[27]} $i;done;' defaults\ read scutil sudo\ dtrace sudo\ profiles sed\ -En awk /S*/*/P*/*/*/C*/*/airport networksetup mdutil sudo\ lsof test osascript\ -e );c2=(com.apple.loginwindow\ LoginHook '" /L*/P*/loginw*' "'tell app \"System Events\" to get properties of login items'|tr , \\\n" 'L*/Ca*/com.ap*.Saf*/E*/* -d 1 -name In*t -exec '"${c1[14]}"' :CFBundleDisplayName" {} \;|sort|uniq' '~ $TMPDIR.. $ -flags +sappnd,schg,uappnd,uchg -o ! -user $UID -o ! -perm -600 $' '.??* -path .Trash -prune -o -type d -name *.app -print -prune' :${p[35]}\" :Label\" '{/,}L*/{Con,Pref}* -type f ! -size 0 -name *.plist -exec plutil -s {} \;' "-f'%N: %l' Desktop L*/Keyc*" therm sysload boot-args status " -F '\$Time \$Message' -k Sender kernel -k Message Req 'bad |Beac|caug|dead[^bl]|FAIL|fail|GPU |hfs: Ru|inval|jnl:|last value [1-9]|n Cause: -|NVDA$|pagin|proc: t|Roamed|rror|ssert|Thrott|tim(ed? ?|ing )o|WARN' -k Message Rne 'Goog|ksadm|SMC:| VALI|xpma' -o -k Sender fseventsd -k Message Req 'SL' " '-du -n DEV -n EDEV 1 10' 'acrx -o comm,ruid,%cpu' '-t1 10 1' '-f -pfc /var/db/r*/com.apple.*.{BS,Bas,Es,J,OSXU,Rem,up}*.bom' '{/,}L*/Lo*/Diag* -type f -regex .\*[cgh] ! -name *ag \( -exec grep -lq "^Thread c" {} \; -exec printf \* \; -o -true $ -execdir stat -f:%Sc:%N -t%F {} \;|sort -t: -k2 |tail -n'${p[38]} '-L {/{S*/,},}L*/Lau* -type f' '-L /{S*/,}L*/StartupItems -type f -exec file {} +' '-L /S*/L*/{C*/Sec*A,E}* {/,}L*/{A*d,Ca*/*/Ex,Co{mpon,reM},Ex,Inter,iTu*/*P,Keyb,Mail/B,Pr*P,Qu*T,Scripti,Sec,Servi,Spo,Widg}* -path \\*s/Resources -prune -o -type f -name Info.plist' '/usr/lib -type f -name *.dylib' `awk "${s[31]}"<<<${p[23]}` "/e*/{auto,{cron,fs}tab,hosts,{[lp],sy}*.conf,pam.d/*,ssh{,d}_config,*.local} {,/usr/local}/etc/periodic/*/* /L*/P*{,/*}/com.a*.{Bo,sec*.ap}*t /S*/L*/Lau*/*t .launchd.conf" list getenv /Library/Preferences/com.apple.alf\ globalstate --proxy '-n get default' -I --dns -getdnsservers\ "${p[N5]}" -getinfo\ "${p[N5]}" -P -m\ / '' -n1 '-R -l1 -n1 -o prt -stats command,uid,prt' '--regexp --only-files --files com.apple.pkg.*|sort|uniq' -kl -l -s\ / '-R -l1 -n1 -o mem -stats command,uid,mem' '+c0 -i4TCP:0-1023' com.apple.dashboard\ layer-gadgets '-d /L*/Mana*/$USER&&echo On' '-app Safari WebKitDNSPrefetchingEnabled' "+c0 -l|awk '{print(\$1,\$3)}'|sort|uniq -c|sort -n|tail -1|awk '{print(\$2,\$3,\$1)}'" '/S*/*/Ca*/*xpc* >&- ||echo No' );N1=${#c2[@]};for j in {0..9};do c2[N1+j]=SP${p[j]}DataType;done;N2=${#c2[@]};for j in 0 1;do c2[N2+j]="-n ' syscall::'${p[33+j]}':return { @out[execname,uid]=sum(arg0) } tick-10sec { trunc(@out,1);exit(0);} '";done;l=(Restricted\ files Hidden\ apps 'Elapsed time (s)' POST Battery Safari\ extensions Bad\ plists 'High file counts' User Heat System\ load boot\ args FileVault Diagnostic\ reports Log 'Free space (MiB)' 'Swap (MiB)' Activity 'CPU per process' Login\ hook 'I/O per process' Mach\ ports kexts Daemons Agents launchd Startup\ items Admin\ access Root\ access Bundles dylibs Apps Font\ issues Inserted\ dylibs Firewall Proxies DNS TCP/IP Wi-Fi Profiles Root\ crontab User\ crontab 'Global login items' 'User login items' Spotlight Memory Listeners Widgets Parental\ Controls Prefetching SATA Descriptors XPC\ cache );N3=${#l[@]};for i in 0 1 2;do l[N3+i]=${p[5+i]};done;N4=${#l[@]};for j in 0 1;do l[N4+j]="Current ${p[29+j]}stream data";done;A0() { id -G|grep -qw 80;v[1]=$?;((v[1]==0))&&sudo true;v[2]=$?;v[3]=`date +%s`;clear >&-;date '+Start time: %T %D%n';};for i in 0 1;do eval ' A'$((1+i))'() { v=` eval "${c1[$1]} ${c2[$2]}"|'${c1[30+i]}' "${s[$3]}" `;[[ "$v" ]];};A'$((3+i))'() { v=` while read i;do [[ "$i" ]]&&eval "${c1[$1]} ${c2[$2]}" \"$i\"|'${c1[30+i]}' "${s[$3]}";done<<<"${v[$4]}" `;[[ "$v" ]];};A'$((5+i))'() { v=` while read i;do '${c1[30+i]}' "${s[$1]}" "$i";done<<<"${v[$2]}" `;[[ "$v" ]];};';done;A7(){ v=$((`date +%s`-v[3]));};B2(){ v[$1]="$v";};for i in 0 1;do eval ' B'$i'() { v=;((v['$((i+1))']==0))||{ v=No;false;};};B'$((3+i))'() { v[$2]=`'${c1[30+i]}' "${s[$3]}"<<<"${v[$1]}"`;} ';done;B5(){ v[$1]="${v[$1]}"$'\n'"${v[$2]}";};B6() { v=` paste -d: <(printf "${v[$1]}") <(printf "${v[$2]}")|awk -F: ' {printf("'"${f[$3]}"'",$1,$2)} ' `;};B7(){ v=`grep -Fv "${v[$1]}"<<<"$v"`;};C0(){ [[ "$v" ]]&&echo "$v";};C1() { [[ "$v" ]]&&printf "${f[$1]}" "${l[$2]}" "$v";};C2() { v=`echo $v`;[[ "$v" != 0 ]]&&C1 0 $1;};C3() { v=`sed -E "$s"<<<"$v"`&&C1 1 $1;};for i in 1 2;do for j in 0 2 3;do eval D$i$j'(){ A'$i' $1 $2 $3; C'$j' $4;};';done;done;{ A0;D20 0 $((N1+1)) 2;D10 0 $N1 1;B0;C2 27;B0&&! B1&&C2 28;D12 15 37 25 8;A1 0 $((N1+2)) 3;C0;D13 0 $((N1+3)) 4 3;D23 0 $((N1+4)) 5 4;D13 0 $((N1+9)) 59 50;for i in 0 1 2;do D13 0 $((N1+5+i)) 6 $((N3+i));done;D13 1 10 7 9;D13 1 11 8 10;D22 2 12 9 11;D12 3 13 10 12;D23 4 19 44 13;D23 5 14 12 14;D22 6 36 13 15;D22 7 37 14 16;D23 8 15 38 17;D22 9 16 16 18;B1&&{ D22 35 49 61 51;D22 11 17 17 20;for i in 0 1;do D22 28 $((N2+i)) 45 $((N4+i));done;};D22 12 44 54 45;D22 12 39 15 21;A1 13 40 18;B2 4;B3 4 0 19;A3 14 6 32 0;B4 0 5 11;A1 17 41 20;B7 5;C3 22;B4 4 6 21;A3 14 7 32 6;B4 0 7 11;B3 4 0 22;A3 14 6 32 0;B4 0 8 11;B5 7 8;B1&&{ A2 19 26 23;B7 7;C3 23;};A2 18 26 23;B7 7;C3 24;A2 4 20 21;B7 6;B2 9;A4 14 7 52 9;B2 10;B6 9 10 4;C3 25;D13 4 21 24 26;B4 4 12 26;B3 4 13 27;A1 4 22 29;B7 12;B2 14;A4 14 6 52 14;B2 15;B6 14 15 4;B3 0 0 30;C3 29;A1 4 23 27;B7 13;C3 30;D13 24 24 32 31;D13 25 37 32 33;A2 23 18 28;B2 16;A2 16 25 33;B7 16;B3 0 0 34;B2 21;A6 47 21&&C0;B1&&{ D13 21 0 32 19;D13 10 42 32 40;D22 29 35 46 39;};D23 14 1 62 42;D12 34 43 53 44;D12 22 50 32 52;D22 0 $((N1+8)) 51 32;D13 4 8 41 6;D12 26 28 35 34;D13 27 29 36 35;A2 27 32 39&&{ B2 19;A2 33 33 40;B2 20;B6 19 20 3;};C2 36;D23 33 34 42 37;B1&&D23 35 45 55 46;D23 32 31 43 38;D12 36 47 32 48;D13 20 42 32 41;D13 37 2 48 43;D13 4 5 32 1;D13 4 3 60 5;D12 26 48 49 49;B3 4 22 57;A1 26 46 56;B7 22;B3 0 0 58;C3 47;D22 4 4 50 0;D23 22 9 37 7;A7;C2 2;} 2>/dev/null|pbcopy;exit 2>&-

Copy the selected text to the Clipboard by pressing the key combination command-C.

8. Launch the built-in Terminal application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.

Click anywhere in the Terminal window and paste by pressing command-V. The text you pasted should vanish immediately. If it doesn't, press the return key.

9. If you see an error message in the Terminal window such as "Syntax error" or "Event not found," enter

exec bash

and press return. Then paste the script again.

10. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. In most cases, the difference is not important. If you don't know the password, or if you prefer not to enter it, press the key combination control-C or just press return three times at the password prompt. Again, the script will still run.

If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.

11. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, there will be nothing in the Terminal window and no indication of progress. Wait for the line

[Process completed]

to appear. If you don't see it within half an hour or so, the test probably won't complete in a reasonable time. In that case, close the Terminal window and report what happened. No harm will be done.

12. When the test is complete, quit Terminal. The results will have been copied to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.

At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "Process completed" message to appear in the Terminal window. Please wait for it and try again.

If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.

13. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "You are not authorized to post." That's a bug in the forum software. Please post the test results on Pastebin, then post a link here to the page you created.

14. This is a public forum, and others may give you advice based on the results of the test. They speak only for themselves, and I don't necessarily agree with them.

______________________________________________________________

Copyright © 2014 by Linc Davis. As the sole author of this work, I reserve all rights to it except as provided in the Use Agreement for the Apple Support Communities website ("ASC"). Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

Reply

Answer 3

MadMacs0

Level 5

5,227 points

Oct 3, 2014 6:11 PM in response to MacAwesome88

A few of other places to look:

/Library/LaunchDaemons/com.JavaW

/private/var/root/.JavaW [This is an invisible file]

/Users/<YourUserName>/.JavaW [This is an invisible file]

Are you running any type of VMWare?

Are you running OS X 10.9.5 yet and did you have OS X bash Update 1.0 – OS X Mavericks installed when it came out?

Reply

Answer 4

thomas_r.

Level 7

32,001 points

Oct 3, 2014 6:28 PM in response to MacAwesome88

I would also be interested in knowing ANYTHING you may be able to tell us about where this came from. Did you download and install something close to the time of the infection? (If you're not sure when the infection occurred, look back in time in a Time Machine backup, if you have one, and see when the JavaW item showed up. Or, if you haven't actually deleted the file yet, check the modification date, though that may not be 100% reliable.)

Please note, though: if you have a specific URL for what you downloaded that may have included this malware, please don't post it here! That could expose others to the malware. You can e-mail it to me, and I can forward it on to those other folks who are interested. (Linc, I don't know if I still have a valid e-mail address for you... if you want to see whatever URL I might be given, let me know privately.)

(Fair disclosure: I may receive compensation from links to my site and software, in the form of buttons allowing for donations. Donations are not required to use my site or software.)

Reply

Answer 5

MacAwesome88 Author

Level 1

50 points

Oct 4, 2014 1:41 AM in response to MadMacs0

Wow you guys are great with the support here... I'm a Mac tech too but not on the same level as you guys but am always learning...

1> Yes I did check the /Library/LaunchDaemons/com.JavaW Nothing there...

2> No VMWare

3> Yes I most likely got it from a torrent... will have to do much scouring for source.... but I'll stay away from torrents now...

4> I will use Onyx to show invisible files and check the places you mentioned above and get back to you soon.

5> I'll do what Linc David mentioned but when I'm more awake for that task...

6> I did notice from searching as Dr. Web commentors mentioned all these MD5 related files... the main exec file in a folder called "sbin"

MD5 • md5_load.py • md5_load.py • md5_load.pyc • md5_load.pyc • md5_otp.n • md5_speed.py • md5_speed.py

md5.1 • MD5.bs • md5.bundle • md5.bundle • MD5.bundle • MD5.bundle... what's all that?

7> I use Time Machine regularly on a 2TB Passport so I''ll dig into that to try and find whatever I can.

Thank you guys! ; )

Robert

Reply

Answer 6

MadMacs0

Level 5

5,227 points

Oct 4, 2014 2:06 AM in response to MacAwesome88

MacAwesome88 wrote:

1> Yes I did check the /Library/LaunchDaemons/com.JavaW Nothing there...

There's an outside chance it could also be ~/Library/LaunchDaemons/com.JavaW where "~" is your user directory. Since Apple has hidden your user library you will need to hold down the <Option> key while selecting "Library" from the Finder's Go menu. You probably already know that, but there may be others reading this who don't.

MacAwesome88 wrote:

6> I did notice from searching as Dr. Web commentors mentioned all these MD5 related files... the main exec file in a folder called "sbin"

MD5 • md5_load.py • md5_load.py • md5_load.pyc • md5_load.pyc • md5_otp.n • md5_speed.py • md5_speed.py

md5.1 • MD5.bs • md5.bundle • md5.bundle • MD5.bundle • MD5.bundle... what's all that?

I didn't read anything about this thing installing any MD5 files in Dr. Web, only that the process uses MD5 extensively to identify directories to see what you have. I'm not certain whether it's to avoid dealing with certain software or if it is looking to store something there. At any rate, I don't see any of the files you mentioned listed by Dr. Web as being installed anywhere and the MD5 executable should be in the Darwin (Unix) portion of the OS called "sbin".

I have not checked all the other files, but most so far are installed in various /System/Library/ directories on my 10.9.5, but not in sbin, so can you double check those locations for us.

Obviously the big piece of information we are looking for is the threat vector (how it got to your Mac) so the biggest contribution you could make at this time is to identify the original source, be it torrent or otherwise.

Reply

Answer 7

MadMacs0

Level 5

5,227 points

Oct 4, 2014 4:04 PM in response to MacAwesome88

Apple is in the process of updating XProtect for OSX.iWorm.A, OSX.iWorm.B, & OSX.iWorm.C.

Mountain Lion and above are version 2050, Lion version 1060 and Snow Leopard version 75.

You should be receiving the update within the next 24-hours.

Reply

Answer 8

Oct 6, 2014 11:57 PM in response to Linc Davis

Start time: 01:44:29 10/07/14

Model Identifier: MacBookPro11,3

System Version: OS X 10.9.5 (13F34)

Kernel Version: Darwin 13.4.0

Time since boot: 1:33

FileVault: FileVault master keychain appears to be installed

Diagnostic reports

2014-10-06 com.apple.WebKit.WebContent crash x2

Log

Oct 6 10:46:50 wl0: Roamed or switched channel, reason #2, bssid 00

Oct 6 10:47:07 wl0: Roamed or switched channel, reason #4, bssid 00

Oct 6 10:47:17 wl0: Roamed or switched channel, reason #2, bssid 00

Oct 6 10:47:27 wl0: Roamed or switched channel, reason #2, bssid 00

Oct 6 10:47:37 wl0: Roamed or switched channel, reason #2, bssid 00

Oct 6 10:47:47 wl0: Roamed or switched channel, reason #2, bssid 00

Oct 6 10:47:57 wl0: Roamed or switched channel, reason #2, bssid 00

Oct 6 10:48:07 wl0: Roamed or switched channel, reason #2, bssid 00

Oct 6 10:48:17 wl0: Roamed or switched channel, reason #2, bssid 00

Oct 6 10:48:26 wl0: Roamed or switched channel, reason #2, bssid 00

Oct 6 10:48:34 AirPort: Link Down on en0. Reason 15 (4-Way Handshake timeout).

Oct 6 12:16:48 SATA WARNING: IDENTIFY DEVICE checksum not implemented.

Oct 6 12:16:48 Previous Shutdown Cause: -128

Oct 6 12:54:50 process WindowServer[102] caught causing excessive wakeups. Observed wakeups rate (per sec): 251; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 60757

Oct 6 13:18:30 SATA WARNING: IDENTIFY DEVICE checksum not implemented.

Oct 6 13:20:13 process WindowServer[101] caught causing excessive wakeups. Observed wakeups rate (per sec): 448; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 45199

Oct 6 13:41:33 SATA WARNING: IDENTIFY DEVICE checksum not implemented.

Oct 6 13:41:39 ARPT: 7.843504: directed SSID scan fail

Oct 6 13:43:10 process WindowServer[100] caught causing excessive wakeups. Observed wakeups rate (per sec): 488; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 46583

Oct 6 14:07:09 process com.apple.WebKit[585] caught causing excessive wakeups. Observed wakeups rate (per sec): 157; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 45114

Oct 6 17:03:30 SATA WARNING: IDENTIFY DEVICE checksum not implemented.

Oct 7 00:11:58 SATA WARNING: IDENTIFY DEVICE checksum not implemented.

Oct 7 00:12:04 ARPT: 8.017051: directed SSID scan fail

Oct 7 00:35:57 en1: promiscuous mode disable failed

Oct 7 00:35:57 en2: promiscuous mode disable failed

kexts

com.avg.Antivirus.OnAccess.kext (14.0)

Daemons

com.microsoft.office.licensing.helper

com.google.keystone.daemon

com.avg.Antivirus

com.avg.Antivirus.infosd

com.adobe.fpsaud

Agents

com.fiplab.MemoryCleanHelper

com.google.keystone.system.agent

com.avg.Antivirus

launchd

/Library/LaunchAgents/com.avg.Antivirus.gui.plist

- com.avg.Antivirus

/Library/LaunchAgents/com.google.keystone.agent.plist

- com.google.keystone.system.agent

/Library/LaunchDaemons/com.adobe.fpsaud.plist

- com.adobe.fpsaud

/Library/LaunchDaemons/com.avg.Antivirus.infosd.plist

- com.avg.Antivirus.infosd

/Library/LaunchDaemons/com.avg.Antivirus.services.plist

- com.avg.Antivirus

/Library/LaunchDaemons/com.google.keystone.daemon.plist

- com.google.keystone.daemon

/Library/LaunchDaemons/com.microsoft.office.licensing.helper.plist

- com.microsoft.office.licensing.helper

Bundles

/Library/Internet Plug-Ins/Flash Player.plugin

- N/A

/Library/Internet Plug-Ins/googletalkbrowserplugin.plugin

- com.google.googletalkbrowserplugin

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin

- com.apple.java.JavaAppletPlugin

/Library/Internet Plug-Ins/o1dbrowserplugin.plugin

- com.google.o1dbrowserplugin

/Library/Internet Plug-Ins/SharePointBrowserPlugin.plugin

- com.microsoft.sharepoint.browserplugin

/Library/Internet Plug-Ins/SharePointWebKitPlugin.webplugin

- com.microsoft.sharepoint.webkitplugin

/Library/Internet Plug-Ins/Silverlight.plugin

- com.microsoft.SilverlightPlugin

/Library/PreferencePanes/Flash Player.prefPane

- com.adobe.flashplayerpreferences

Contents of /etc/sysctl.conf

kern.sysv.shmall=65536

kern.sysv.shmmax=268435456

kern.sysv.shmmni=64

kern.sysv.shmseg=32

Font issues: 21

DNS: 209.18.47.61 (static)

User login items

iTunesHelper

- /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app

Restricted files: 321

Elapsed time (s): 139

Reply

Answer 9

Oct 7, 2014 12:09 AM in response to MacAwesome88