McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• CME-4

• OSX/Leap-A (Sophos)

• OSX/Oomp

Characteristics

-- Update: February 16, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2006/02/16/mac_os-x_virus/

___

OSX/Leap is an instant messaging worm propagating via iChat on PowerPC-based machines running Mac OS X.

It sends itself to people on the user's buddy list in the form of a .tgz archive (which is stored locally in the /tmp folder). It will likely be received as:

• latestpics.tgz
  

Within the .tgz archive, the worm masquerades as a JPEG image.

Because iChat is not a Windows application, this cannot propagate to Windows machines. 

Symptoms

Applications may fail to run correctly, as the hook installed by the worm fails to correctly return control to the hooked process due to incorrectly written code.

Method of Infection

The worm loads an apphook into the local system library, which will then be injected into the address spaces of processes as they load. This will then hook to the virus code which will attempt to send out copies of the worm.

The file being distributed is called "latestpics.tgz" , having a filesize of 40.893 bytes decimal. Inside this file are 2 other files embedded:

•  "._latestpics " , filesize 43.694 bytes decimal
• "latestpics "     , filesize 39.596 bytes decimal 

The first file ._latestpics is used to create a fake jpeg icon. The file latestpics is the malicious file.

It attempts to masquerade as a jpeg image file to trick the user into executing it:

Leap requires user interaction in order to infect a machine, as the user receiving an instant message containing the worm will have to extract the executable from the archive and then run as admin. When run, it appears immediately that it is not a harmless jpeg file but in fact a malicious binary file. It runs in command/shell mode calling a terminal session for it to execute. The default message "Welcome to Darwin! " can be seen.

It tries to copy itself to the /tmp directory and creates the "apphook.bundle" Input Manager.

Once done, at the bottom of the command/shell mode terminal some more visual info appears:

• ;exit
• logout
• [Process completed]

Removal

Use specified engine and DAT files for detection and removal. Delete any file which contains this detection.

Overwritten/deleted files must be restored from backup or reinstalled. Alternatively system restore can be used to restore deleted files.

AVERT recommends to users that they not trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• CME-4

• OSX/Leap-A (Sophos)

• OSX/Oomp

Characteristics

Characteristics -

-- Update: February 16, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2006/02/16/mac_os-x_virus/

___

OSX/Leap is an instant messaging worm propagating via iChat on PowerPC-based machines running Mac OS X.

It sends itself to people on the user's buddy list in the form of a .tgz archive (which is stored locally in the /tmp folder). It will likely be received as:

• latestpics.tgz
  

Within the .tgz archive, the worm masquerades as a JPEG image.

Because iChat is not a Windows application, this cannot propagate to Windows machines. 

Symptoms

Symptoms -

Applications may fail to run correctly, as the hook installed by the worm fails to correctly return control to the hooked process due to incorrectly written code.

Method of Infection

Method of Infection -

The worm loads an apphook into the local system library, which will then be injected into the address spaces of processes as they load. This will then hook to the virus code which will attempt to send out copies of the worm.

The file being distributed is called "latestpics.tgz" , having a filesize of 40.893 bytes decimal. Inside this file are 2 other files embedded:

•  "._latestpics " , filesize 43.694 bytes decimal
• "latestpics "     , filesize 39.596 bytes decimal 

The first file ._latestpics is used to create a fake jpeg icon. The file latestpics is the malicious file.

It attempts to masquerade as a jpeg image file to trick the user into executing it:

Leap requires user interaction in order to infect a machine, as the user receiving an instant message containing the worm will have to extract the executable from the archive and then run as admin. When run, it appears immediately that it is not a harmless jpeg file but in fact a malicious binary file. It runs in command/shell mode calling a terminal session for it to execute. The default message "Welcome to Darwin! " can be seen.

It tries to copy itself to the /tmp directory and creates the "apphook.bundle" Input Manager.

Once done, at the bottom of the command/shell mode terminal some more visual info appears:

• ;exit
• logout
• [Process completed]

Removal -

Removal -

Use specified engine and DAT files for detection and removal. Delete any file which contains this detection.

Overwritten/deleted files must be restored from backup or reinstalled. Alternatively system restore can be used to restore deleted files.

AVERT recommends to users that they not trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Variants

Variants -

N/A