Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

New Trojan for Mac OS X

July 2, 2012

Russian anti-virus company Doctor Web is warning users about a new Trojan horse for Mac OS X. This application can perform backdoor tasks and execute commands issued by a remote, hacker-controlled server.

Back in late June, Doctor Web's anti-virus laboratory received a sample e-mail message with a malicious program attached targeting Mac OS X. This e-mail message, written in the Uighur language, had the file zmatiriyal.zip attached to it. The zip archive contained two files: an image and the matiriyal.app malware disguised with a PDF document icon. This application runs on both Power PC and x86 machines. It was added to the Dr.Web virus database as BackDoor.Macontrol.2.

screen

screen

If the option to hide extensions for known file types is enabled in the system, a user may try to open the attached "document", thus launching the Trojan. BackDoor.Macontrol.2 is especially dangerous for machines running Mac OS X Snow Leopard, since it allows programs to write into the Library folder under a user account (this is not possible under Mac OS X Lion).

When launched in a compromised system, BackDoor.Macontrol.2 copies itself into the file /Library/launched and creates its configuration file ~/Library/LaunchAgents/com.apple.FolderActionsxl.plist for launch upon system start-up. The Trojan then sends to a remote control server data on the infected computer, including the operating system version, computer name, user account information, and the amount of RAM. Then the Trojan stands by and waits for instructions. Directives that can be carried out by the backdoor include system shut down, sending files to a remote server, and running the /bin/sh shell.

This malware is not a danger to systems protected by Dr.Web for Mac OS X, which detects and removes the program. Doctor Web advises users to exercise caution when opening attachments to messages from unknown senders.

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040