How To Remove “MacAccess” Trojan

Due to infection reports and prevalence of this threat, here’s a removal instruction for “MacAccess” trojan.

The presence of the following files indicates that the infection or installation of this tricky trojan went successfully.

installed_files

/cron.inst
/i386
/Library/Internet Plug-Ins/AdobeFlash
/Library/Internet Plug-Ins/Mozillaplug.plugin

Please take note that the files /cron.inst and /i386 may not exists since it usually gets deleted after the trojan successfully executed its code.

To fix the infection, simply delete any of these files.

Also,  this trojan creates a cron (or scheduling) job (/cron.inst) that executes a malicious Perl script named “AdobeFlash” found in “/Library/Internet Plugins/” and this  is important that you check this part through terminal.  Execute “sudo crontab -l” to list or display the scheduled job as exampled below:

***Thanks for all the feedback!; To all reader use sudo to allow a normal user to run crontab commands as root***

The cron job executes every five minutes, which triggers the backdoor to check the remote IP address. It has been observed to check for these remote IP addresses:

94.247.2.109
78.157.142.187

To remove, simply execute “sudo crontab -r” and double check by executing “sudo crontab -l” as exampled below:

remove

Take note: You have to open Terminal to run “crontab”. Terminal is located at ~/Applications/Utilities or you can simple search it using Spotlight as shown below:

Terminal

OSX/Jahlav aka “MacAccess” will attempt to connect to  mentioned IP address (this may vary depending on the variant) which may install another trojan often DNSChanger. So, it is best to check your DNS settings and notice if there is some dodgy entries like IP starting with 85.xx.xx.xx. To fix, just simply remove it and restore back your legitimate DNS settings.  Please check this instruction to help you fix malicious DNS entries.

If this instruction works, then i’ll be excited to hear your story.  I’m sure any info will also help other OS X users.

If not,  please feel free to drop a message and hopefully with additional information such as:

  • How did you get infected ? (website? )
  • Do you still have a copy of the application you installed ?  If yes, please send it to this email address:  meths101 (at) optusnet (dot) com (dot) au ; or just send me a link where I can download it.
  • Any unusual behavior found in your computer.

Updated 5/22/2009:

– Added information about Terminal as per request.

Updated 6/10/2009:

– Added link to How To Check Your DNS Settings