Aliases
Characteristics
-
Allows others to access the computer
-
Deletes files off the computer
-
Steals information
-
Downloads code from the internet
-
Reduces system security
-
Modifies passwords
Affected Operating Systems
Recovery Instructions:
Please follow the instructions for removing worms.
The SH/Renepo-A virus can spread using any filename, but always tries to copy itself to /System/Library/StartupItems. Be sure to review this location for unwanted or malicious scripts.
The SH/Renepo-A virus creates a directory named "/.info" in which to collect data such as password hashes and application configuration. The presence of this directory should be considered suspicious.
The SH/Renepo-A virus attempts to create an admin-level user named "LDAP-daemon" with a password hash of "rQ3p5/hpOpvGE" and a user ID of 401. The presence of such an account should be considered suspicious.
Since SH/Renepo-A makes a wide range of changes to system security, a complete security review should be carried out on compromised computers. Be sure to turn back on any services disabled by the virus, including accounting, logging, firewall and auto-updates. Also look for files and directories with "777" (world-writeable) permissions, especially /etc/hostconfig, /etc/xinetd.d/ssh and the various data files used by cron.
Assume that all passwords on your network have been compromised. SH/Renepo-A attempts to harvest user, configuration and password data for a wide range of applications, including FTP servers, web servers, browsers, VNC and the operating system itself.