SH/Renepo-A

Category: Viruses and Spyware
Type: Macintosh worm
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

SH/Renepo-A is a shell script worm targeted at the Mac OS X platform. If run on your computer (either accidentally or by design), it copies itself to the local startup directory (/System/Library/StartupItems) and to any other mounted volumes, including other computers on your network. SH/Renepo-A also makes infected StartupItems folders world-writeable, thus opening a dangerous backdoor on any system it infects. SH/Renepo-A is a shell script worm targeted at the Mac OS X platform. If run on your computer (either accidentally or by design), it copies itself to the local startup directory (/System/Library/StartupItems) and to any other mounted volumes, including other computers on your network. SH/Renepo-A also makes infected StartupItems folders world-writeable, thus opening a dangerous backdoor on any system it infects.

Note that any attacker trying to plant this worm in your network would need to get root access on one of your boxes first, meaning that you would already be "owned". Nevertheless, SH/Renepo-A collects into a single script a wide range of anti-security attacks. Once the worm has run on your computer, it will compromise system security in many ways, including:

  • turning off system accounting and logging
  • turning off the OS X firewall
  • turning off software auto-updates
  • turning off LittleSnitch (a security program for OS X)
  • turning on filesharing
  • turning on ssh
  • making key system files world-writeable
  • installing ohphoneX (a voice and video sharing program for OS X)
  • installing John the Ripper (a password cracker)
  • installing dsniff (a password sniffer)
  • logging the IP numbers of infected computers to a remote server
  • creating a directory in which to stash harvested data (/.info)
  • harvesting application, user and system data
  • collecting Windows password hashes from samba
  • searching for VNC password information
  • trawling for passwords in the swap file
  • creating a new admin-level user (LDAP-daemon)