“AS.MW2004.Trojan – that affects Mac OS X. This Trojan horse, when double-clicked, permanently deletes all the files in the current user’s home folder. Intego has notified Apple, Microsoft and the CERT, and has been working in close collaboration with these companies and organizations,” Macworld UK reports.
“The AS.MW2004.Trojan is a compiled AppleScript applet, a 108 KB self-contained application, with an icon resembling an installer for Microsoft Office 2004 for Mac OS X. This AppleScript runs a Unix command that removes files, using AppleScript’s ability to run such commands. The AppleScript displays no messages, dialogs or alerts. Once the user double-clicks this file, their home folder and all its contents are deleted permanently,” Macworld UK reports.
“Intego advises all Macintosh users to only download and run applications from trusted sources. However Intego has updated its VirusBarrier X software to address this vulnerability. Intego VirusBarrier X eradicates this Trojan horse, using its virus definitions dated May 11, 2004, and Intego remains diligent to ensure that VirusBarrier X will also eradicate any future viruses that may try to exploit this same technique. All Intego VirusBarrier X users should make sure that their virus definitions are up to date by using the NetUpdate preference pane in the Mac OS X System Preferences,” Macworld UK reports.
“[According to Intego] Nothing prevents users from creating other, similar AppleScripts, with different names and custom icons that can run the same damaging command. The current version that is in the wild only deletes a user’s files and folders. Other such commands could attempt to delete all the files on a Macintosh computer running Mac OS X, but they would need to request an administrator password. However, users may not hesitate to type their administrator’s password for what they think is an installer; after all, Apple’s Installer requires this password to install any applications and updates to Mac OS X,” Macworld UK reports.
“[According to Intego] This Trojan horse highlights a serious weakness with Mac OS X. Since it is built on a Unix foundation, it can run powerful commands very easily. These commands can delete or damage a user’s files with no warning, and AppleScript offers no protection against malicious commands,” Macworld UK reports.
Full article here.
MacDailyNews Take: Intego is the company that, just over a month ago, trumpeted a so-called Mac OS X Trojan horse which turned out to be exaggerated FUD designed to sell security software – basically a non-issue. And this “trojan” supposedly comes with a Microsoft Office icon, of all things! So forgive us for being just a tad skeptical. We swear we just heard someone cry “wolf?” Maybe we’re hearing things.
This makes us wonder who would’ve released this in the wild via P2P file sharing networks, if it’s true? What would the creator(s) have to gain? What companies would have the most to gain? Interesting questions to ponder. But, hey, at least they used AppleScript!
In case you’re guessing, color us unconcerned, bored, or blue with pink spots for all we care about this. Just in case, and because we can, we post this story for your use. Enjoy.
Reminders:
1. don’t click it if you don’t know where it came from or what it is.
2. Microsoft wants you to buy Office for Mac, not download it for free. (Please note that MS Word is not, nor has it ever been, 108 KB)
3. Intego wants to sell you “VirusBarrier X.”
Throw all three in a blender, mix, and see what you come up with – we think it’s called “Intego-Schmintego.”
Related MacDailyNews articles:
Mac OS X so-called Trojan horse ‘exaggerated FUD to sell security software, a non-issue’ – April 10, 2004
Stingerman, per Intego definition you are a virus in the wild and they will have their virus database include stingerman definition. Mac users are advised to buy it so that you will be deleted if you walk within 100 feet from their Macs.
Sounds fishy! Sounds like something Microsoft would create, just to discourage illegal downloads. Maybe it never happened (an anomynous reader reported).
“and has been working in close collaboration with these companies and organizations,”
Maybe Intego is working closer with Microsoft than we think. This kind of story would benefit both Microsoft and Intego.
Anyone else suspicious that Intego actual released the script in the wild. I love the “…This Trojan horse highlights a serious weakness with Mac OS X. Since it is built on a Unix foundation, it can run powerful commands very easily.” Pardon me, but this action was pretty darn easy to do on Mac OS 9x, as well, not too mentions its not that complicated to do on Windows system. Sure Unix is more powerful, but people create AppleScripts to trash files and folders before OS X.
Here’s my question, when is MacWorld UK going to stop publishing their press releases, without verifying the details with a third party like Symantec, Sophos, F-Secure, or CERT.
I wonder if the person who made it was on the Intego bankroll. I also wonder if all the other virus creaters (like the teen who created Sasser) are on the other companies’ bankrolls.
Now on LimeWire, an installer for Intego’s new anti-virus software for the Mac! Hurry and download it – it’s only 108k!!! Guaranteed to “remove” all viruses from your Mac!!!
Can’t apple Sue for this kind of FUD? I mean it is Business bashing!! I was watching techtv the other day and the guy on call for help was like Mac OS X is not the most secure OS, there just got a virus the last week!! I was omG wat a fucking moron. It was clear he was just another OS X wintel basher.
Anyone can write this script, with Apple Script. It is a every easy script. Hell I made a script like this 5 years ago. Nothing new, and if changing the icon on a Apple Script is a trojan horse, then my computer is full of them.
This clearly demonstrates what we have all suspected all along. The biggest and baddest sources of viruses, worms and Trojans are the very companies that sell the antivirus software. This company is clearly creating these in captivity and selling the cure. If this one is in the wild we all know where it came from. I smell a lawsuit.
Hey Seahawk, where is my .profile file located? It’s been a decade since I’ve used the vi editor and done any real Unix stuff!
Hi, how do I uninstall applescript from my computer so that I am not infected?
Oh nooo I must sell my Mac and go back to Windows for security reasons.
You know I searched Symantec and they don’t have any information about this virus nor does anyone else and only one person has been affected by this I have a hard time trusting this one
Alert! “Microsoft Office 2004.exe” found on Limewire! It’s a TROJAN!
Not kidding. It’s true. I just went on Limewire looking for this Mac Word2004 trojan, and all I found was the file listed above. It’s a Windows executable file all right, but it is hardly MS Office. It’s only 207K in size for one thing. I browsed thru this file with a hex editor and found the phrase “Look at the tits on that girl” and the URL “some_web_site.com/hugerack” (I refuse to repeat the real URL – no advertising from me!). I’ll leave it for someone else to actually run this thing and see what it does, but I’ll bet ya next weeks salary that it’s NOT MS Office! OK, so where’s the alarm bells going off for this thing? Surely Intego will want to rant and rave about yet another Trojan, right? Oh wait… it’s just another Windows trojan, so no news here.
Isn’t it funny how an application that is supposed to be one thing but is something else can get so much attention when it’s a Mac app, but when it’s Windows no one hardly notices? This sort of thing is not an issue with Macs as it is computers in general. It can be done on any system and does not reflect a shortcoming of the system it is made for. If anything it reflects a lapse in security with the user. Any user can be tricked into doing something he/she shouldn’t do. What Intego and others like them will have a hard time in demonstrating is when a Mac can be infested with no user intervention. THEN I’ll take notice. Meanwhile, Intego can keep their FUD to themselves.
For immediate release:
The world is flat. Don’t fall off the edge!
OS X now has bash as default. In the terminal the command ‘ls’ does a list of your files. If you issue ‘cd’ it brings to your $HOME which is
/Users/<youraccount>
A file starting with a dot is *invisible* in Unix. To show it you have to issue
‘ls -a’ .
From ‘man bash’:
When bash is invoked as an interactive login shell, or as a non-interactive shell with the –login option, it first reads and executes commands from the file /etc/profile, if that file exists. After reading that file, it looks for ~/.bash_profile, ~/.bash_login, and ~/.profile, in that order, and reads and executes commands from the first one that exists and is readable.
When an interactive shell that is not a login shell is started, bash reads and executes commands from ~/.bashrc
if the file (say .bash_profile or .bashrc) is not there create it with your preferred editor (do not forget the . in the name) and insert the line:
alias rm=’rm -i’
Now, to see the difference, do:
touch killme
ls killme
rm killme
the above will create an empty killme file, show it, delete it.
source now the file with the new alias (say type ‘source .bashrc’ if you put it there) then try again:
touch killme
ls killme
rm killme
if you did no mistake this time you shoul see:
remove killme?
to which you have to reply with a yes or a no
BTW,
many Unix commands have the -i option for interactive confirmation. Get a basic book on Unix for OS X (search O’Reilly) and at least try to learn the basic things. It is not particle physics really.
“No, this Trojan horse cannot spread or replicate. It is only dangerous when users download it from Web sites or peer-to-peer services.”
It doesn’t self-replicate in any way, shape, or form, so to call this a Virus or a Trojan is ludicrous. The only thing that remotely resembles a Virus in this incident are the four (total thus far) people that actually downloaded the file and were dumb enough to execute it. PPPPPPlease!
In the wild? Idiots!
Don’t worry everyone – I have created a new iApp in the form of a brushed steel paperclip which will pop up every time you try to delete anything from your hard drive. When you try to do this it wil say: “It seems as though you want to try to delete something – would you like me to help you?”. All Apple users can download this file from Limewire. It is 108k in size and carries a Britney Spears icon…..
What next – 200k download of Star Wars Episode 3 from kazaa reformats C drive is mere nip.
“Stealing is bad karma”- Steve Jobs
Anyone stupid enough to download Microsoft Software from anyone other than Microsoft deserves to have their Home folder deleted. Go down and buy the retail version and support the development of Macintosh software, otherwise download OpenOffice and make a donation.
Now that I think of it, does MacWorld has the address of the user reporting getting the MS Word 2004 beta from LimeWire thinking it was legit?
You see, I do have this property left by my ancestors in Rome. It is centrally located and famous indeed. You could make a fortune selling tickets to visit it. You may have heard of it: is called Coliseum. Price is reasonable.
Send a check for $100,000 to be considered a serious bidder.
Regarding the alias for rm. This won’t help. If it runs rm on the command line it WILL use the -f flag. This overrides the -i flag in your profile (i just checked). What I think would be the best option would be for Apple to hard code something into AppleScript that will ALWAYS post notification when a script attempts to run rm on the command line. Perhaps make an obscure way of specifying specific scripts on your computer that don’t do this, but make it so it HAS to be manually set.
I’ve always felt that the prior lack of access to KaZaA ans other P2P networks reserved for Windows has been a blessing in disguise. The fact that this file came from Limewire indicates the writer knew he’d have a better chance of reaching a Mac victim.
Stay away from P2Ps like the plague which they are. Windows users have been victimized by Trojans and viruses and spyware for ages now using P2Ps. Mac users need to learn the lesson from the experience of others instead of learning it the hard way.
The person who reported this to MacWorld UK (before Intego ever got wind of it) got what he asked for: something too good to be true, which it was.
He should have suspected something immediately. Since when does Microsoft distribute anything via P2P? Since when does M$ write anything with Applescript? Secondly, MS Office is so bloated, I coudn’t even successfully download their “Test Drive” from their website on my dial-up. So MDN is right; seeing *anything* from M$ with a file size of even 1MB should be a dead give-away.
When the proof of concept came out last month, I thought nothing of it. But now, I think it’s time for us Mac OS X users to get serious about security. Even if 1 virus gets loose in the wild making that 70K Windows viruses to 1 Mac OS X virus, that still gives us bragging rights, but at the same time should give us pause to stop thinking we’re invincible.
It’s only a matter of time, guys. Stop minimizing the potential dangers out there by constantly crying FUD foul.
Practice responsible computing for the benefit of everyone, which now includes ourselves.
It IS a Trojan. It’s not at all stupid to call it that. A Trojan doesn’t need to replicate. It disguises itself as something harmless, but has a nasty payload.
It’s not very likely to affect many people, so the chances of that payload getting delivered is mighty slim. It doesn’t mean it’s not real though.
THIS IS REAL…
I said when the last worm came out “double click on it (the file) and your home directory is gone for good (Secure Empty Trash)”…
Folks we have a real problem here, try moving your application folder to the trash, or your home directory; you can delete these.
Cupertino we have a problem.
�
Joel, you are rigth, my bad: Darwin has default POSIX_STRICT set: -f and -i will be operationally exclusive – only the last instance of -i or -f will take effect; instances appearing earlier on the command line will be ignored. i.e. rm -i -f * = force, rm -f -i * = interactive. If POSIX_STRICT is not set, -i will require confirmations regardless of whether or not -f is specified.
Then atm the solution is not by having an alias but using a rm script that instead of running the builtin rm would run a /usr/local/bir/rm which moves files to the .Trash rather the deleting.
Might be around on the net something like that but normally Unix users actually like rm as is as and rely on habits in order not to be hurt by it.
I was thinking along the same lines. Would it be possible to have OS X to automatically alert a user any time an installer tries to delete anything or alter files in any way? Installers should be only allowed to do just that… install. This would raise security for OS X to a level that windows users will never see.
That said, the current solution for the present situation seems simple. Don’t download apps from P2P networks. Mac Users should avoid pirating software anyway as it is a demotivating force for developers to port their apps to the OS X platform.
Also as MDN implies, the fact that this malicious app seems to be a blatant attempt to deter people from pirating Microsoft office is pretty suspicious.
And as for Intego……Intego are slime buckets extraordinaire.