SH/Renepo-A is a shell script worm targeted at the Macintosh OS X platform. If run on your computer (either accidentally or by design), it copies itself to the local startup directory (/System/Library/StartupItems) and to any other mounted volumes, including other computers on your network. SH/Renepo-A also makes infected StartupItems folders world-writeable, thus opening a dangerous backdoor on any system it infects.
Note that any attacker trying to plant this worm in your network would need to get root access on one of your boxes first, meaning that you would already be “owned”. Nevertheless, SH/Renepo-A collects into a single script a wide range of anti-security attacks. Once the worm has run on your computer, it will compromise system security in many ways, including:
– turning off system accounting and logging
– turning off the OS X firewall
– turning off software auto-updates
– turning off LittleSnitch (a security program for OS X)
– turning on filesharing
– turning on ssh
– making key system files world-writeable
– installing ohphoneX (a voice and video sharing program for OS X)
– installing John the Ripper (a password cracker)
– installing dsniff (a password sniffer)
– logging the IP numbers of infected computers to a remote server
– creating a directory in which to stash harvested data (/.info)
– harvesting application, user and system data
– collecting Windows password hashes from samba
– searching for VNC password information
– trawling for passwords in the swap file
– creating a new admin-level user (LDAP-daemon)
More info: http://www.sophos.com.au/virusinfo/analyses/shrenepoa.html
MacDailyNews Take: More information about this worm, also known as “Opener,” can be found at MacInTouch here. Remember that root access is required for this worm. Do not run your Mac OS X machine as “root” unless you know what you’re doing. More about root or superuser Mac OS X user levels here.