OSX/Leap-A

Category: Viruses and Spyware Protection available since:27 Feb 2006 00:00:00 (GMT)
Type: Macintosh worm Last Updated:03 Jun 2011 17:01:32 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

OSX/Leap-A is an instant-messaging worm for the Mac OS X platform.

The worm attempts to spread via the iChat instant messaging system, sending itself to available contacts on the infected users' buddy list in a file called latestpics.tgz.

OSX/Leap-A attempts to infect recently used applications. OSX/Leap-A is an instant-messaging worm for the Mac OS X platform.

The worm attempts to spread via the iChat instant messaging system, sending itself to available contacts on the infected users' buddy list in a file called latestpics.tgz. This file is an archive consisting of:

latestpics: the worm executable
._latestpics: a hidden resource file designed to disguise the executable as a JPEG image

OSX/Leap-A installs itself as an application hook by deleting the "apphook" subdirectory of either the /Library/InputManagers/ directory (if run with root permissions) or the ~/Library/InputManagers/ directory (if run as a non-root user) and replacing it with the following three files:

apphook/Info
apphook/apphook.bundle/Contents/Info.plist
apphook/apphook.bundle/Contents/MacOS/apphook

OSX/Leap-A attempts to infect recently used applications by overwriting the original application with a copy of the worm, storing the original application in the file's resource fork. Infected application files have the following extended attribute:

name: oompa
value: loompa

OSX/Leap-A also creates the following temporary files:

/tmp/pic.gz
/tmp/pic
/tmp/latestpics
/tmp/lastespics.tar
/tmp/lastespics.tar.gz
/tmp/lastespics.tgz

and several files under

/tmp/apphook

download Try Sophos products for free
Download now