Category: Viruses and Spyware
Type: Macintosh worm
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed


  • Opener


  • Allows others to access the computer
  • Deletes files off the computer
  • Steals information
  • Downloads code from the internet
  • Reduces system security
  • Modifies passwords

Affected Operating Systems

Mac OS

Recovery Instructions:

Please follow the instructions for removing worms.

The SH/Renepo-A virus can spread using any filename, but always tries to copy itself to /System/Library/StartupItems. Be sure to review this location for unwanted or malicious scripts.

The SH/Renepo-A virus creates a directory named "/.info" in which to collect data such as password hashes and application configuration. The presence of this directory should be considered suspicious.

The SH/Renepo-A virus attempts to create an admin-level user named "LDAP-daemon" with a password hash of "rQ3p5/hpOpvGE" and a user ID of 401. The presence of such an account should be considered suspicious.

Since SH/Renepo-A makes a wide range of changes to system security, a complete security review should be carried out on compromised computers. Be sure to turn back on any services disabled by the virus, including accounting, logging, firewall and auto-updates. Also look for files and directories with "777" (world-writeable) permissions, especially /etc/hostconfig, /etc/xinetd.d/ssh and the various data files used by cron.

Assume that all passwords on your network have been compromised. SH/Renepo-A attempts to harvest user, configuration and password data for a wide range of applications, including FTP servers, web servers, browsers, VNC and the operating system itself.

download Try Sophos products for free
Download now