OSX/Leap-A is an instant-messaging worm for the Mac OS X platform.
The worm attempts to spread via the iChat instant messaging system, sending itself to available contacts on the infected users' buddy list in a file called latestpics.tgz.
OSX/Leap-A attempts to infect recently used applications.
OSX/Leap-A is an instant-messaging worm for the Mac OS X platform.
The worm attempts to spread via the iChat instant messaging system, sending itself to available contacts on the infected users' buddy list in a file called latestpics.tgz. This file is an archive consisting of:
latestpics: the worm executable
._latestpics: a hidden resource file designed to disguise the executable as a JPEG image
OSX/Leap-A installs itself as an application hook by deleting the "apphook" subdirectory of either the /Library/InputManagers/ directory (if run with root permissions) or the ~/Library/InputManagers/ directory (if run as a non-root user) and replacing it with the following three files:
apphook/Info
apphook/apphook.bundle/Contents/Info.plist
apphook/apphook.bundle/Contents/MacOS/apphook
OSX/Leap-A attempts to infect recently used applications by overwriting the original application with a copy of the worm, storing the original application in the file's resource fork. Infected application files have the following extended attribute:
name: oompa
value: loompa
OSX/Leap-A also creates the following temporary files:
/tmp/pic.gz
/tmp/pic
/tmp/latestpics
/tmp/lastespics.tar
/tmp/lastespics.tar.gz
/tmp/lastespics.tgz
and several files under
/tmp/apphook