[Helpdesk] First OS X "virus"?

Brett, Computer Medics SFMUG at TheComputerMedics.info
Sat Feb 18 10:18:05 MST 2006 

For this "Mac Virus" to work, a user must download and attempt to open a
software package (latestpics.tgz) which poses as screenshots of the
rumored Jaguar version of OS X. During the install process, the user 
will
be prompted for their administrator user name and password. If they 
enter
it, the application will run on their machine where it attempts to
propagate itself via iChat (assuming you are running iChat).

There's the key. This file is harmless unless one tries to open it, and
when prompted gives logs in as an administrator. No operating system is
immune to users manually installing malicious software. Not Linux, not
Windows, and certainly not Mac OS X.  I would hope most Mac users would
express some immediate concern if they were trying to view what they
thought was a JPEG file and it asked them for their system password.


Brett Goldberg
Head of Emergency Computer Medicine

ð Apple Authorized Service Provider
ð Apple Certified Desktop Technician (ACDT)
ð Apple Certified Portable Technician (ACPT)
ð Apple Product Professional 2002 & 2003 & 2004 & 2005
ð Member, Apple Consultants Network

ÊÊÊ  ÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊ ÊÊÊÊÊÊÊÊÊComputer Medics LLC
				ÊÊÊÊÊMedic at TheComputerMedics.info ÊÊÊÊÊ
	  Triage: 505/577-2265 (office)   "911": 505/577-2557 (cellular)
ÊÊÊÊÊÊÊÊÊhttp://www.TheComputerMedics.info ÊÊÊÊÊÊÊÊfax : 505/983-0021
ÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊ
ÊÊÊÊÊÊÊÊÊÊÊÊÊStaff of Apple Authorized and PC ÒA+Ó Certified 
Technicians.
ÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊÊ     ÊÊÊÊÊÊÊÊÊÊÊÊÊOn site... On time... Just in time

On Feb 17, 2006, at 1:51 PM, Andrew Main wrote:

> There's been a lot of buzz the last ca. 36 hours about what appears to 
> be the first real "malware" to appear in the OS X environment. It's 
> been dubbed "Oompa-Loompa" (aka "OSX/Oomp-A"), and first appeared 
> posted anonymously on a forum at MacRumors.com. For a succinct 
> explanation of this situation, see the page by Mark Allan, developer 
> of the open-source (free) ClamXAV anti-virus utility for Mac OS X:
>
> <http://www.markallan.co.uk/clamXav/index.php?page=leap>
>
> ----------------------------------------
> The file in question promises pictures of the next version of Mac OS X 
> 10.5, codenamed Leopard, and is named "latestpics.tgz".
>
> Note: You cannot be infected by this unless you do all of the 
> following:
>
> 1) You are somehow sent (via email, iChat, etc.) or download the 
> "latestpics.tgz" file
> 2) You double-click on the file to decompress it
> 3) You double-click on the resulting file to "open" it
>
> ...and even then, most users must also enter their Admin password.
>
> You cannot simply "catch" the virus. Even if someone does send you the 
> "latestpics.tgz" file, you cannot be infected unless you decompress 
> the file, and then open it. ...
>
> On first inspection, it would appear that it doesn't actually do 
> anything other than try to send itself to everyone, but it's the first 
> true Mac OS X trojan and I'm fairly sure that others will follow suit 
> in a similar pattern with the intention of doing something more 
> harmful.
>
> The best thing you can do is make sure to keep your virus definitions 
> up-to-date, use ClamXav Sentry to watch your downloads folder, and 
> never open any attachments unless you're actually expecting to receive 
> something.
>
> ----------------------------------------
> If you feel a need for malware protection in OS X, ClamXAV seems like 
> a good bet (though I haven't used it myself, nor so far any anti-virus 
> utility):
> <http://www.clamxav.com/>
>
> Follow the links on Mark's page to learn more of the history of this 
> trojan, its discovery what's been done in the Mac user community to 
> respond to it.
>
> If you are using a Mac I have set up, see the Information/More 
> Information/Security folder for more discussion of Mac OS X and 
> viruses (and other malware).
>
> Andrew Main
> _______________________________________________
> Helpdesk mailing list
> Helpdesk at santafemug.org
> http://lists.santafemug.org/mailman/listinfo/helpdesk
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 4350 bytes
Desc: not available
Url : http://lists.cvnm.org/pipermail/helpdesk/attachments/20060218/9361bb58/attachment.bin

More information about the Helpdesk mailing list