McAfee > Theat Center > Virus Detail Page

Overview

This Trojan is dropped as part of an illegitimate Adobe Photoshop CS4 for Mac installation obtained from file sharing sites.

Aliases

• OSX/iWorkS-B (Sophos)

Characteristics

Upon installation, the following malicious files are created:

• /usr/bin/DivX (OSX/DivX)

It will also hook system startup by creating or modifying the following file(s) and folder(s):

• /System/Library/StartupItems/DivX/DivX
• /System/Library/StartupItems/DivX/StartupParameters.plist

DivX service is set to start when the 'Network' parameter is reached at startup through definitions set in the .plist file listed above.

The installation folder is then modifed to have read and execute rights to "all" and read, write and execute for the "root" user by setting the permission attributes with "chmod 755".

Connection attempts may also be made from the following domains on non-standard ports:

• 69.92.{blocked} (TCP Port 59201)
• {blocked}.freehostia.com (TCP Port 1024)

The connections may be used to receive and execute the following remote commands:

• socks
• system
• httpget
• httpgeted
• rand
• sleep
• banadd
• banclear
• p2plock
• p2punlock
• nodes
• leafs
• unknowns
• p2pport
• p2pmode
• p2ppeer
• p2ppeerport
• p2peertype
• set
• get
• clear
• p2pihistsize
• p2pihist
• platform
• script
• sendlogs
• uptime
• uid
• shell
• rshell

Symptoms

• Presence of the afforementioned file(s) and folder(s).
• Presence of unexpected network connection(s) to previously mentioned domains

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- January 27, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/01/26/more_mac_malware/
--

This Trojan is dropped as part of an illegitimate Adobe Photoshop CS4 for Mac installation obtained from file sharing sites.

Aliases

• OSX/iWorkS-B (Sophos)

Characteristics

Characteristics -

Upon installation, the following malicious files are created:

• /usr/bin/DivX (OSX/DivX)

It will also hook system startup by creating or modifying the following file(s) and folder(s):

• /System/Library/StartupItems/DivX/DivX
• /System/Library/StartupItems/DivX/StartupParameters.plist

DivX service is set to start when the 'Network' parameter is reached at startup through definitions set in the .plist file listed above.

The installation folder is then modifed to have read and execute rights to "all" and read, write and execute for the "root" user by setting the permission attributes with "chmod 755".

Connection attempts may also be made from the following domains on non-standard ports:

• 69.92.{blocked} (TCP Port 59201)
• {blocked}.freehostia.com (TCP Port 1024)

The connections may be used to receive and execute the following remote commands:

• socks
• system
• httpget
• httpgeted
• rand
• sleep
• banadd
• banclear
• p2plock
• p2punlock
• nodes
• leafs
• unknowns
• p2pport
• p2pmode
• p2ppeer
• p2ppeerport
• p2peertype
• set
• get
• clear
• p2pihistsize
• p2pihist
• platform
• script
• sendlogs
• uptime
• uid
• shell
• rshell

Symptoms

Symptoms -

• Presence of the afforementioned file(s) and folder(s).
• Presence of unexpected network connection(s) to previously mentioned domains

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A