McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Inqtana.A (F-Secure)

• OSX_INQTANA.A (TrendMicro)

Characteristics

-- Update February 20, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/Bluetooth+worm+targets+Mac+OS+OSXinqtana.html

For an Extra.Dat file for this threat please visit our Extra Dat request page at:
https://www.webimmune.net/extra/getextra.aspx

This detection covers a proof-of-concept worm that exploits an Apple Mac OS X directory traversal vulnerability described in CVE-2005-1333 .

When executed, this worm will attempt to discover Bluetooth devices that will accept a file via the OBEX Push service (typically requiring user intervention). On Mac OS X machines vulnerable to the CVE-2005-1333 , the trojan is installed and may start at boot up.

More information about vendor's updates and the vulnerability can be found at:

• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1333
• http://www.apple.com/support/downloads/

Symptoms

• Unexpected request for file transfer via the Bluetooth OBEX Push service.
• Presence of one or more of the following files:
  • /Users/w0rm-support.tgz
  • /Users/com.pwned.plist
  • /Users/com.openbundle.plist

Method of Infection

This worm spreads over the Bluetooth OBEX Push service which typically request the user to accept a file transfer over Bluetooth. Users are advised not to accept requests from unknown devices. It also exploits a directory traversal vulnerability in Mac OS X to install and auto-start the worm on the infected machine.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Inqtana.A (F-Secure)

• OSX_INQTANA.A (TrendMicro)

Characteristics

Characteristics -

-- Update February 20, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/Bluetooth+worm+targets+Mac+OS+OSXinqtana.html

For an Extra.Dat file for this threat please visit our Extra Dat request page at:
https://www.webimmune.net/extra/getextra.aspx

This detection covers a proof-of-concept worm that exploits an Apple Mac OS X directory traversal vulnerability described in CVE-2005-1333 .

When executed, this worm will attempt to discover Bluetooth devices that will accept a file via the OBEX Push service (typically requiring user intervention). On Mac OS X machines vulnerable to the CVE-2005-1333 , the trojan is installed and may start at boot up.

More information about vendor's updates and the vulnerability can be found at:

• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1333
• http://www.apple.com/support/downloads/

Symptoms

Symptoms -

• Unexpected request for file transfer via the Bluetooth OBEX Push service.
• Presence of one or more of the following files:
  • /Users/w0rm-support.tgz
  • /Users/com.pwned.plist
  • /Users/com.openbundle.plist

Method of Infection

Method of Infection -

This worm spreads over the Bluetooth OBEX Push service which typically request the user to accept a file transfer over Bluetooth. Users are advised not to accept requests from unknown devices. It also exploits a directory traversal vulnerability in Mac OS X to install and auto-start the worm on the infected machine.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A