Allows others to access the computer
Deletes files off the computer
Downloads code from the internet
Reduces system security
Affected Operating Systems
Please follow the instructions for removing worms.
The SH/Renepo-A virus can spread using any filename, but always tries to copy itself to /System/Library/StartupItems. Be sure to review this location for unwanted or malicious scripts.
The SH/Renepo-A virus creates a directory named "/.info" in which to collect data such as password hashes and application configuration. The presence of this directory should be considered suspicious.
The SH/Renepo-A virus attempts to create an admin-level user named "LDAP-daemon" with a password hash of "rQ3p5/hpOpvGE" and a user ID of 401. The presence of such an account should be considered suspicious.
Since SH/Renepo-A makes a wide range of changes to system security, a complete security review should be carried out on compromised computers. Be sure to turn back on any services disabled by the virus, including accounting, logging, firewall and auto-updates. Also look for files and directories with "777" (world-writeable) permissions, especially /etc/hostconfig, /etc/xinetd.d/ssh and the various data files used by cron.
Assume that all passwords on your network have been compromised. SH/Renepo-A attempts to harvest user, configuration and password data for a wide range of applications, including FTP servers, web servers, browsers, VNC and the operating system itself.