July 2, 2012
Back in late June, Doctor Web's anti-virus laboratory received a sample e-mail message with a malicious program attached targeting Mac OS X. This e-mail message, written in the Uighur language, had the file zmatiriyal.zip attached to it. The zip archive contained two files: an image and the matiriyal.app malware disguised with a PDF document icon. This application runs on both Power PC and x86 machines. It was added to the Dr.Web virus database as BackDoor.Macontrol.2.
If the option to hide extensions for known file types is enabled in the system, a user may try to open the attached "document", thus launching the Trojan. BackDoor.Macontrol.2 is especially dangerous for machines running Mac OS X Snow Leopard, since it allows programs to write into the Library folder under a user account (this is not possible under Mac OS X Lion).
When launched in a compromised system, BackDoor.Macontrol.2 copies itself into the file /Library/launched and creates its configuration file ~/Library/LaunchAgents/com.apple.FolderActionsxl.plist for launch upon system start-up. The Trojan then sends to a remote control server data on the infected computer, including the operating system version, computer name, user account information, and the amount of RAM. Then the Trojan stands by and waits for instructions. Directives that can be carried out by the backdoor include system shut down, sending files to a remote server, and running the /bin/sh shell.
This malware is not a danger to systems protected by Dr.Web for Mac OS X, which detects and removes the program. Doctor Web advises users to exercise caution when opening attachments to messages from unknown senders.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.