Let’s call the bad iWork as Krowi.

So, the story starts when OS X user will download an iWork 09 installation package with serial key through BitTorrent.

Take note that  Krowi is often found on a package “iWork09.zip” with filesize 450.4MB. Upon extracting, you’ll find  NO “iWorkServices” here instead a main installation package named iWork09Trial.mpkg and an enticing serial.txt.

Upon inspecting the content of “iWork09Trial.mpkg” you’ll find nasty Krowi “iWorkServices.pkg” piggybacking.

The file “preflight” contains a one line instruction, which is executing the mach-o binary file “iworkservices”.

When installed, this will create the following files:

/System/Library/StartupItems/iWorkServices/StartupParameters.plist

/System/Library/StartupItems/iWorkServices/iWorkServices

/usr/bin/iWorkServices

Since the system keep a copy of the installer, you’ll find this as well:

/Library/Receipts/iWorkServices.pkg

Once installed, you will find “iWorkServices” process is running in background and it will persistently attempts to report to its command and control channels.

69.92.177.146:59201

qwfojzlk.freehostia.com:1024