Mac trojan virus reproduction (OSX/crisis)

Just as we are excited to watch the release of the new Mac OS X, another unfortunate message came from the network security field, and a new Mac virus was detected.

This virus, which was first detected and analyzed and released by intego, is very different from previous ones, for example, the last flashback, the world-famous flash back, does not require user intervention. In fact, it is silently infecting the computer system without the user's awareness, open a backdoor and contact its host server every five minutes, waiting for further commands.

The technical staff has not terminated their research on it because of its executionCodeAfter special sorting, it is difficult to decompile. Currently, it can infect 14 files with normal user permissions. if it obtains system administrator permissions, 17 files are generated and hidden. The IP address of its host server is 176.58.100.37.Currently, it only runs on 10.5, 10.6, and 10.7 systems,And 10.8Not compatible yet.

This virus has not been widely spread yet, but is only found on virustotal's website, so there is no need to panic. However, its infection mode and code writing on MAC systems (using many underlying function calls, which is more concealed and hard to find) are very unique at present.

The user self-monitoring method is used to monitor the two scripts based on their characteristics. As long as they return no such file or directory, it indicates no infection:

Ls-La ~ /Library/scriptingadditions/applehid/LS-La/system/library/frameworks/Foundation. Framework/xpcservices/
 

If the virus is infected, only the paid version of virusbarrier x6.