high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Macintosh |
| Protection available since | 25 October 2004 03:51:52 (GMT) |
| Last updated | 25 October 2004 19:54:46 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
The SH/Renepo-A virus can spread using any filename, but always tries to copy itself to /System/Library/StartupItems. Be sure to review this location for unwanted or malicious scripts.
The SH/Renepo-A virus creates a directory named "/.info" in which to collect data such as password hashes and application configuration. The presence of this directory should be considered suspicious.
The SH/Renepo-A virus attempts to create an admin-level user named "LDAP-daemon" with a password hash of "rQ3p5/hpOpvGE" and a user ID of 401. The presence of such an account should be considered suspicious.
Since SH/Renepo-A makes a wide range of changes to system security, a complete security review should be carried out on compromised computers. Be sure to turn back on any services disabled by the virus, including accounting, logging, firewall and auto-updates. Also look for files and directories with "777" (world-writeable) permissions, especially /etc/hostconfig, /etc/xinetd.d/ssh and the various data files used by cron.
Assume that all passwords on your network have been compromised. SH/Renepo-A attempts to harvest user, configuration and password data for a wide range of applications, including FTP servers, web servers, browsers, VNC and the operating system itself.
More Information
SH/Renepo-A is a shell script worm targeted at the Mac OS X platform. If run on your computer (either accidentally or by design), it copies itself to the local startup directory (/System/Library/StartupItems) and to any other mounted volumes, including other computers on your network. SH/Renepo-A also makes infected StartupItems folders world-writeable, thus opening a dangerous backdoor on any system it infects. SH/Renepo-A is a shell script worm targeted at the Mac OS X platform. If run on your computer (either accidentally or by design), it copies itself to the local startup directory (/System/Library/StartupItems) and to any other mounted volumes, including other computers on your network. SH/Renepo-A also makes infected StartupItems folders world-writeable, thus opening a dangerous backdoor on any system it infects.
Note that any attacker trying to plant this worm in your network would need to get root access on one of your boxes first, meaning that you would already be "owned". Nevertheless, SH/Renepo-A collects into a single script a wide range of anti-security attacks. Once the worm has run on your computer, it will compromise system security in many ways, including:
- turning off system accounting and logging
- turning off the OS X firewall
- turning off software auto-updates
- turning off LittleSnitch (a security program for OS X)
- turning on filesharing
- turning on ssh
- making key system files world-writeable
- installing ohphoneX (a voice and video sharing program for OS X)
- installing John the Ripper (a password cracker)
- installing dsniff (a password sniffer)
- logging the IP numbers of infected computers to a remote server
- creating a directory in which to stash harvested data (/.info)
- harvesting application, user and system data
- collecting Windows password hashes from samba
- searching for VNC password information
- trawling for passwords in the swap file
- creating a new admin-level user (LDAP-daemon)
|
