high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Macintosh |
| Included in our products from | August 2006 (4.08) |
| Protection available since | 16 February 2006 12:25:38 (GMT) |
| Last updated | 30 June 2006 09:41:04 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
OSX/Leap-A is an instant-messaging worm for the Mac OS X platform.
The worm attempts to spread via the iChat instant messaging system, sending itself to available contacts on the infected users' buddy list in a file called latestpics.tgz.
OSX/Leap-A attempts to infect recently used applications. OSX/Leap-A is an instant-messaging worm for the Mac OS X platform.
The worm attempts to spread via the iChat instant messaging system, sending itself to available contacts on the infected users' buddy list in a file called latestpics.tgz. This file is an archive consisting of:
latestpics: the worm executable
._latestpics: a hidden resource file designed to disguise the executable as a JPEG image
OSX/Leap-A installs itself as an application hook by deleting the "apphook" subdirectory of either the /Library/InputManagers/ directory (if run with root permissions) or the ~/Library/InputManagers/ directory (if run as a non-root user) and replacing it with the following three files:
apphook/Info
apphook/apphook.bundle/Contents/Info.plist
apphook/apphook.bundle/Contents/MacOS/apphook
OSX/Leap-A attempts to infect recently used applications by overwriting the original application with a copy of the worm, storing the original application in the file's resource fork. Infected application files have the following extended attribute:
name: oompa
value: loompa
OSX/Leap-A also creates the following temporary files:
/tmp/pic.gz
/tmp/pic
/tmp/latestpics
/tmp/lastespics.tar
/tmp/lastespics.tar.gz
/tmp/lastespics.tgz
and several files under
/tmp/apphook
|
