macnews.net.tc
2006-02-16
The "latestpics" Trojan
Apparently, someone posted a Mac OS X trojan to the macrumors.com forum (link goes to explanation and discussion on ambrosiasw.com forums). The file in question is called "latestpics.tgz", which you should not download and unpack, although that alone is not yet dangerous. The dangerous thing is that the UN*X executable it unpacks looks like a JPEG file, although it doesn't have the file extension. (It just has a JPEG icon pasted onto it.) If you do double-click it, it installs itself as an input manager and tries to infect applications with itself and to propagate through iChat (it'll send itself to your iChat buddies).
This is not a virus, though. And if you don't double-click files you don't know the source of, you're still safe. Also: Never doubleclick images without file extensions, anyway. (Set the Finder to _show_ you file extensions, of course.)
So: Don't panic. But be safe. :)

Update: Sites like TheRegister (their "article" about Leap.A here) are now keen to call this a virus, although by definition it is not. They also fail to mention that the script does no harm other than to propagate via iChat. Again: Of course we shouldn't go into denial whenever something like this pops up. But in order to do even a little harm, the user still has to actually execute this script himself. And things like that have always been known on Mac OS X. It tries to take advantage of a vulnerability of the user, not the operating system. Unless you open/execute the UN*X script yourself, you're safe!
Comments:
Another thing you didn't mention, even if they click on what looks like a jpeg, it will require the clicker to log in. This should be a big warning sign that something is not quite right.


Glor
 
That's not true in fact. If you're an admin user, no password is needed to install into "/Library/Input Managers" unless you change the permissions by hand. And if you're not an admin user, you're asked for an admin pw, but if you don't give it, it installs itself into "~/Library/Input Managers" from what I've heard.
 
Post a Comment

<< Home
apple stories with common senseā„¢

if you want to send us a message, you can do so at rumours at fryke dot com.

rss-link

archives
2005-05
2005-06
2005-07
2005-08
2005-09
2005-10
2005-11
2005-12
2006-01
2006-02
2006-03
2006-04
2006-05
2006-06
2006-07
2006-08
2006-09
2006-10
2006-11
2006-12
2007-01
2007-02
2007-03
2007-04
2007-05
2007-06
2007-07
2007-09
2007-10
2008-12
2009-01
2009-02
2009-03
2009-04
2009-08
2010-01
2010-03
2010-10
2011-02
2011-11
2011-12

2005 (old server)
2004 (old server)





Powered by Blogger