Introduction

As reported today (16th February) on the rumour website, MacRumors.com, the first real trojan for Mac OS X has reared its ugly head. Most of the information on this page has been taken from the MacRumors discussion thread on the topic, and for that I apologise unreservedly, but it's the quickest way to get the information to you.

I obtained a copy of the trojan and have uploaded it for inclusion in the ClamAV definition database. The ClamAV website is reporting its current status (as of 16/2/06, 8:19pm GMT) as "Under construction". This means that ClamXav should soon be able to protect Mac OS X users from this trojan.

-- NEWSFLASH -- The trojan has now been included in ClamAV's database; update your definitions to enable ClamXav to detect it.

The file in question promises pictures of the next version of Mac OS X 10.5, codenamed Leopard, and is named "latestpics.tgz".

Note: You cannot be infected by this unless you do all of the following:

1. Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file
2. Double-click on the file to decompress it
3. Double-click on the resulting file to "open" it

...and even then, most users must also enter their Admin password.

You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you decompress the file, and then open it.

^ TOP

A Few Important Points

• This is classed as a Trojan, not a virus, because it doesn't propagate entirely by itself
• It does not exploit any security holes; rather it uses "social engineering" to get the user to launch it on their system
• It requires the admin password if you're not running as an admin user
• It doesn't actually do anything other than attempt to propagate itself via iChat
• It has a bug in the code which prevents it from working as intended, and has the side-effect of preventing infected applications from launching
• It's not particularly sophisticated

^ TOP

What Does It Do?

When a user double-clicks on the decompressed file, or otherwise executes it:

1. It creates a pristine copy of itself under /tmp for later transmission
2. Injects its code into any subsequently launched application
3. When an application is launched subsequently, it tries to send the virus to everyone in your iChat buddy list
4. It then uses Spotlight to find the 4 most recently used applications, and it infects those too

Read the more indepth description of what it does on the MacRumors discussion thread.

On first inspection, it would appear that it doesn't actually do anything other than try to send itself to everyone, but it's the first true Mac OS X trojan and I'm fairly sure that others will follow suit in a similar pattern with the intention of doing something more harmful.

The best thing you can do is make sure to keep your virus definitions up-to-date, use ClamXav Sentry to watch your downloads folder, and never open any attachments unless you're actually expecting to receive something.