A PHP Developer's Blog - Joakim Nygård

About jokke.dk

jokke.dk is the personal website of , a software architect, entrepeneur and Mac user living in Copenhagen, Denmark. Read more »

Search the Site

MacOS X Trojan

17th February, 2006

Yes, the above headline is what has been discovered today. There's a thorough dissection by Andrew Welch of Ambrosia fame.

It is not a virus, so there's no need to rush out and buy anti-virus software for your Mac. It is an application disguised as a jpg picture, which in turn is compressed into a file called "latestpics.tgz".
The important point here is, as Andrew points out:

You cannot be infected by this unless you do all of the following:

1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file

2) Double-click on the file to decompress it

3) Double-click on the resulting file to "open" it

...and then for most users, you must also enter your Admin password.

Also worth noting is that the trojan does not exploit some security issue in Mac OS X.
I was a little confused about why osx apparently does not warn the user about running the application for the first time, but it appears from The Register that the application is in fact a unix executable, launching Terminal and executing the script.
I expect Apple to change the behaviour of shell scripts so that they too prompt a warning.

« RAM and Hardware Failures  –  Looking for a way in »