Update: “iWorkServices” Not Just A Trojan

Let’s call the bad iWork as Krowi.

So, the story starts when OS X user will download an iWork 09 installation package with serial key through BitTorrent.

Take note that  Krowi is often found on a package “iWork09.zip” with filesize 450.4MB. Upon extracting, you’ll find  NO “iWorkServices” here instead a main installation package named iWork09Trial.mpkg and an enticing serial.txt.

Upon inspecting the content of “iWork09Trial.mpkg” you’ll find nasty Krowi “iWorkServices.pkg” piggybacking.

The file “preflight” contains a one line instruction, which is executing the mach-o binary file “iworkservices”.

When installed, this will create the following files:




Since the system keep a copy of the installer, you’ll find this as well:


Once installed, you will find “iWorkServices” process is running in background and it will persistently attempts to report to its command and control channels.