Content
OSX/Inqtana.a
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 02/18/2006
- Length
- 4,228 bytes
- Minimum DAT
- 4701 (02/20/2006)
- Updated DAT
- 4713 (03/08/2006)
- Minimum Engine
- 5.1.00
- Description Added
- 02/18/2006
- Description Modified
- 02/20/2006 12:33 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update February 20, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/Bluetooth+worm+targets+Mac+OS+OSXinqtana.html
For an Extra.Dat file for this threat please visit our Extra Dat request page at:
https://www.webimmune.net/extra/getextra.aspx
This detection covers a proof-of-concept worm that exploits an Apple Mac OS X directory traversal vulnerability described in
CVE-2005-1333
.
When executed, this worm will attempt to discover Bluetooth devices that will accept a file via the OBEX Push service (typically requiring user intervention). On Mac OS X machines vulnerable to the CVE-2005-1333 , the trojan is installed and may start at boot up.
More information about vendor's updates and the vulnerability can be found at:
Symptoms
- Unexpected request for file transfer via the Bluetooth OBEX Push service.
- Presence of one or more of the following files:
- /Users/w0rm-support.tgz
- /Users/com.pwned.plist
- /Users/com.openbundle.plist
Method of Infection
This worm spreads over the Bluetooth OBEX Push service which typically request the user to accept a file transfer over Bluetooth. Users are advised not to accept requests from unknown devices. It also exploits a directory traversal vulnerability in Mac OS X to install and auto-start the worm on the infected machine.
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- Inqtana.A (F-Secure)
- OSX_INQTANA.A (TrendMicro)
Characteristics
Characteristics -
-- Update February 20, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/Bluetooth+worm+targets+Mac+OS+OSXinqtana.html
For an Extra.Dat file for this threat please visit our Extra Dat request page at:
https://www.webimmune.net/extra/getextra.aspx
This detection covers a proof-of-concept worm that exploits an Apple Mac OS X directory traversal vulnerability described in
CVE-2005-1333
.
When executed, this worm will attempt to discover Bluetooth devices that will accept a file via the OBEX Push service (typically requiring user intervention). On Mac OS X machines vulnerable to the CVE-2005-1333 , the trojan is installed and may start at boot up.
More information about vendor's updates and the vulnerability can be found at:
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1333
- http://www.apple.com/support/downloads/
Symptoms
Symptoms -
- Unexpected request for file transfer via the Bluetooth OBEX Push service.
- Presence of one or more of the following files:
- /Users/w0rm-support.tgz
- /Users/com.pwned.plist
- /Users/com.openbundle.plist
Method of Infection
Method of Infection -
This worm spreads over the Bluetooth OBEX Push service which typically request the user to accept a file transfer over Bluetooth. Users are advised not to accept requests from unknown devices. It also exploits a directory traversal vulnerability in Mac OS X to install and auto-start the worm on the infected machine.
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
