Trojan Alert and Hunt-the-Infection Guide

Posted by Jude Cotter 
Trojan Alert and Hunt-the-Infection Guide
February 29, 2012 07:16PM
There is a possible trojan infection for Leopard, Snow leopard and Lion. It masquerades as a Flash install popup on certain websites. You can read more here, if you're techy :

[tidbits.com]

I tried to include a guide about how to search for it, but the Forum won't allow posts with certain characters, for some reason. Working on a way around it. Basically, read the article and use the Go > Go to Folder menu in the Finder to search for certain files.

Re: Trojan Alert and Hunt-the-Infection Guide
February 29, 2012 07:19PM
To check if you have one of the variants, here's a simple list of to-dos

1. In the Finder, there is a menu item called 'Go'. Go to this and in the submenu 'Go to Folder' paste this

/Applications/Safari.app/Contents/Resources

and look for something called 'UnHackMeBuild'

If you use Firefox, use the name Firefox.app instead of Safari.app.


Re: Trojan Alert and Hunt-the-Infection Guide
February 29, 2012 07:19PM
2. In the Go to Folder menu again, go to

/Users/Shared/

and search for any file that ends in .so.

Re: Trojan Alert and Hunt-the-Infection Guide
February 29, 2012 07:19PM
3. Go to the folder

/System/Library/LaunchDaemons/

and see if you have the file com.apple.xprotectupdater.plist. If you do, don't freak out. This is good.

Re: Trojan Alert and Hunt-the-Infection Guide
February 29, 2012 07:20PM
4. Finally, go to

/usr/libexec/

and find the file XProtectUpdater. Also good. Either of these files missing indicates they have been deleted, which the trojan can try to do.

This is not a definitive guide, just a quick and dirty sweep to see if there might be a problem.

Don't know why but breaking this post into smaller chunks worked. Whatever.

Re: Trojan Alert and Hunt-the-Infection Guide
February 29, 2012 07:24PM
Jude, you'd want to correct the first link:

/Application/Safari.app/Contents/Resources

It should be:

/Applications/Safari.app/Contents/Resources


www.derekmok.com
Re: Trojan Alert and Hunt-the-Infection Guide
February 29, 2012 07:43PM
Thank you all

Michael Horton
-------------------
Re: Trojan Alert and Hunt-the-Infection Guide
February 29, 2012 07:56PM
Thank Derek - I had to retype them all and it's really not my top skill. I'll adjust in the original so people don't get confused.

Re: Trojan Alert and Hunt-the-Infection Guide
February 29, 2012 10:24PM
Also, to clarify : In steps 1 and 2 you DON'T want to find the files you're searching for. In steps 3 and 4 you DO want to find the files.

Re: Trojan Alert and Hunt-the-Infection Guide
February 29, 2012 10:55PM
Hee hee. Precision. Gotta love that. Such an editor's thing. Thanks for the tips. I did the check successfully.


www.derekmok.com
Re: Trojan Alert and Hunt-the-Infection Guide
March 01, 2012 10:03PM
...thought this was a Porn Spam thread. My bad.

When life gives you dilemmas...make dilemmanade.

Re: Trojan Alert and Hunt-the-Infection Guide
March 03, 2012 02:07PM
Uh-oh...I'm missing these files

1.com.apple.xprotectupdater.plist
2.XProtectUpdater

Any suggestions on next course of action.
OS 10.5.8 2x2.66 Ghz Dual-Core Intel Xeon.

Thanks,
Ken Kessie
Re: Trojan Alert and Hunt-the-Infection Guide
March 03, 2012 08:59PM
Here's the original article, Ken. Ideas on what to do in there.

Flashback

Re: Trojan Alert and Hunt-the-Infection Guide
March 11, 2012 04:27PM
>Uh-oh...I'm missing these files

>1.com.apple.xprotectupdater.plist
>2.XProtectUpdater

I couldn't find them either, but then I discovered it is a feature of Snow Leopard onwards. You won't find them with Leopard.

John
Sorry, only registered users may post in this forum.

Click here to login

 


Google
  Web lafcpug.org

Web Hosting by HermosawaveHermosawave Internet


Recycle computers and electronics