UGN safenet

Synopsis:

harmless but foreboding just the same
 

Go To:

Go for it...

Mac iChat Trojan Horse

harmless but foreboding just the same

News sources and Mac pundits were buzzing last week with the news of a new Mac Trojan that attaches itself to active iChat.

User Group sleuth, Del Missier forwards this tidBit:

[Quote]
      Intego offers protection from new Mac OS Trojan Horse
      Intego's VirusBarrier antivirus software is now offering protection against the newly discovered Oompa-Loompa Trojan horse, also called OSX/Oomp-A or Leap.A. This security threat affects Macintosh computers running Mac OS X on PowerPC processors. Replicating by sending itself to users' iChat buddies, the Oompa-Loompa Trojan horse does not delete any files, but infects applications on computers where it runs, enabling those applications to in turn spread the virus. "Two versions of this Trojan horse exist, and the Intego Virus Monitoring Center immediately developed updated virus definitions, which it released on February 14, 2006, as soon as it discovered this threat, ensuring that VirusBarrier X and VirusBarrier X4 eradicate the Oompa-Loompa Trojan horse. All Intego VirusBarrier X and VirusBarrier X4 users should make sure that their virus definitions are up to date by using the NetUpdate preference pane in the Mac OS X System Preferences."
[End Quote] Some are reporting that this is not a virus but a trojan horse, as it doesn't self-propagate. From Andrew Welch's dissection

Andrew Welch writes:
[Quote]
      You cannot be infected by this unless you do all of the following:
1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file
2) Double-click on the file to decompress it
3) Double-click on the resulting file to "open" it and then for non-Admin users, it fails to infect most applications.
      A file called "latestpics.tgz" was posted on a Mac rumors web site http://www.macrumors.com/ , claiming to be pictures of "MacOS X Leopard" (an upcoming version of MacOS X, aka "MacOS X 10.5"). It is actually a Trojan (or arguably, a very non-virulent virus). We'll call it "Oompa-Loompa" (aka "OSX/Oomp-A") ...
      A good rule of thumb is: if your user account allows you to install an application without entering your password, then this trojan/virus can modify (infect) that application without you entering a password. Regardless, it can install the "apphook" InputManager portion of its payload no matter what type of user account you have (admin or non-admin).
[End Quote]

Of all the people in the Macintosh sphere, Andrew Welch is probably one of the most trustworthy. He's been on the scene since the beginning as a true champion of "the rest of us" -- his shareware is impeccable. Hats off to Andrew! at www.ambrosiasw.com. Be sure you read ALL of Andrew's article.

Andrew also says: "Don't ask me to send you a copy -- it isn't going to happen!"

Sophos calls it a worm

In Monday's InfoManager, Lynn noted the the Sophos Web site has called it a worm, and offers the February 16 identity (IDE) file you can download called leap-a.ide

More from MacFixIt

Mac Fix It follows with their research of Oompa-Loompa Indicating that ClamXav virus definitions have been updated to include a virus definition for the Oompa-Loompa Trojan (OSX/Oomp-A).
Here's that article

Two additional articles from MacFixIt are worth reading:
* Virus protection software makers respond to Oompa-Loompa trojan (OSX/Oomp-A); protective methods
* Mac OS X malware "OSX/Oomp-A" discovered -- effects seem innocuous

Reflections

For years Mac users have had the luxury of bragging about the Mac's relative virus/trojan-free OS. This verified instance of data-code gripping features of the new OS X is cause for worry however. With INTEL-based Macs coming, the evils that have plagued the INTEL platform can't be too far behind.

All Mac users should probably start familiarizing themselves with intrusion protection and be ready once the real onslaught of online crime begins.

UGN Site Navigation:

Return to: the top of this page, or the INDEX for this department
Exit to: The User Group Network front page
Contact: The Editor, Webmaster or Membership Director

CREDITS:

Reviewed by Fred Showker for the User Group Network News Service. (C) 2006, all rights reserved. Affiliate groups may freely republish this piece so long as they include the tag line: "From the User Group Network News Service at http://www.user-groups.net/ " ... Event dates are subject to change. Some products, programs, or promotions are not available outside the U.S. Prices are estimated retail prices and are listed in U.S. dollars. Product specifications are subject to change. Apple, the Apple logo, Mac, Mac OS, Macintosh, Power Mac, Velocity Engine, FireWire, AirPort, Safari, Sherlock, QuickTime, iLife, iTunes, iChat, iPhoto, iMovie, iDVD, iCal and Apple Store are either registered trademarks or trademarks of Apple. Other company and product names may be trademarks of their respective owners. Mention of third-party products is for informational purposes only and constitutes neither a recommendation nor an endorsement.

The User Group Network is a member of:, the MUG News, and is sponsored in part by: The Design & Publishing Center, The News Serve Network, and the Designers' Bookshelf. The User Group Network is the first, and the original user group network for computer users everywhere including, Apple, Mac-Pro, User Group Organization to support Macintosh, IBM PC, Microsoft, Compaq, Amiga, BE/OS, Linux, UNIX, and other leading computer platforms. Hosting services are provided by The Graphic Design Network to serve the computing community. For information about the UGNetwork, to get involved or have your own groups' home page located at user-groups.net, please contact us. Copyright 1994 through present. This site is maintained in the community interest by The Graphic Design Network c/o Showker Graphic Arts & Design, a Corporation of the Commonwealth of Virginia, Commonwealth of Virginia, 22801, Harrisonburg, VA, in the Shenandoah Valley of Virginia, established in 1972.