Russian anti-virus company Doctor Web is warning users about a new Trojan horse for Mac OS X. This application can perform backdoor tasks and execute commands issued by a remote, hacker-controlled server.
Back in late June, Doctor Web’s anti-virus laboratory received a sample e-mail message with a malicious program attached targeting Mac OS X. This e-mail message, written in the Uighur language, had the file zmatiriyal.zip attached to it. The zip archive contained two files: an image and the matiriyal.app malware disguised with a PDF document icon. This application runs on both Power PC and x86 machines. It was added to the Dr.Web virus database as BackDoor.Macontrol.2.
If the option to hide extensions for known file types is enabled in the system, a user may try to open the attached “document”, thus launching the Trojan. BackDoor.Macontrol.2 is especially dangerous for machines running Mac OS X Snow Leopard, since it allows programs to write into the Library folder under a user account (this is not possible under Mac OS X Lion).
When launched in a compromised system, BackDoor.Macontrol.2 copies itself into the file /Library/launched and creates its configuration file ~/Library/LaunchAgents/com.apple.FolderActionsxl.plist for launch upon system start-up. The Trojan then sends to a remote control server data on the infected computer, including the operating system version, computer name, user account information, and the amount of RAM. Then the Trojan stands by and waits for instructions. Directives that can be carried out by the backdoor include system shut down, sending files to a remote server, and running the /bin/sh shell.
This malware is not a danger to systems protected by Dr.Web for Mac OS X, which detects and removes the program. Doctor Web advises users to exercise caution when opening attachments to messages from unknown senders.
Leave a reply