New Mac OS X Trojan Horse

today announced its latest virus definitions are offering protection from a new Mac OS X Trojan Horse: AS.MW2004.Trojan: "This Trojan horse, when double-clicked, permanently deletes all the files in the current user's home folder. Intego has notified Apple, Microsoft and the CERT, and has been working in close collaboration with these companies and organizations. The AS.MW2004.Trojan is a compiled AppleScript applet, a 108 KB self-contained application, with an icon resembling an installer for Microsoft Office 2004 for Mac OS X. This AppleScript runs a Unix command that removes files, using AppleScript's ability to run such commands. The AppleScript displays no messages, dialogs or alerts. Once the user double-clicks this file, their home folder and all its contents are deleted permanently."

Intego has says it has updated its VirusBarrier X software to address this vulnerability. Intego VirusBarrier X eradicates this Trojan horse, using its virus definitions dated May 11, 2004, which are only available through the program's NetUpdate feature. The company also forward the following Q&A from Microsoft regarding the issue.




Q&A from Microsoft about the AS.MW2004.Trojan Trojan Hourse



How did Microsoft find out about this Trojan horse?
Intego, the Macintosh security specialist, notified us.



Do you offer any Web downloads that use this icon?
No. Microsoft does not offer any Web downloads that use the icon identified
as Trojan horse, MW2004. Microsoft Office 2004 for Mac should only be
installed from retail CDs, and the authentic install icon will only be found
in the product install wizard.



What is the recommended way that customers should install Office 2004? Microsoft Office 2004 for Mac should only be installed from retail CDs, and
the authentic install icon will only be found in the product install wizard.
When looking for product enhancements from Microsoft, customers should
always download from www.microsoft.com or through the new AutoUpdate tool in
Microsoft Office 2004 for Mac.



I heard an individual downloaded the file from a peer-to-peer network, thinking it was a public beta of Microsoft Word 2004. Was there a public beta program for Office 2004 for Mac?
No, there was not a public beta of Office 2004. However, a trial version of
the product will soon be available, and should only be downloaded from
Mactopia.




Q&A from Intego regarding Trojan Horse



Where did Intego first find out about this Trojan horse?
Intego received a copy of this Trojan horse on May 10, 2004. It was sent to
Intego by an editor with Macworld magazine in the United Kingdom, who
received it from a reader. The reader in question downloaded the file from
the Gnutella peer-to-peer network, thinking that it was a public beta of
Microsoft Word 2004. When he double-clicked the application, it immediately
and permanently erased his home folder and all its contents.



Have you informed Apple, Microsoft and the CERT about this Trojan horse?
Yes, we informed Apple, Microsoft and the CERT as soon as we examined this
Trojan horse and discovered its dangers. We have been in close contact with
Apple and Microsoft, and have had several meetings and conference calls with
them to ensure that this Trojan horse is controlled as quickly as possible.



Has Microsoft made any comments about this Trojan horse?
Microsoft made the following comments: "Microsoft has verified that it does
not offer any web downloads that use this icon. This icon should only be
found when customers install Microsoft Office for Mac from retail CDs, and
will be found in the product install wizard. When looking for downloads from
Microsoft, always download from www.microsoft.com or through the new
AutoUpdate tool in Microsoft Office 2004 for Mac."



How exactly does this Trojan horse work?
When a user double-clicks the file, the Trojan horse runs its AppleScript
code. The AppleScript runs a Unix command, which immediately deletes the
current user's home folder, as well as all the files and folders it
contains. This command does not move files to the Trash; it deletes them
immediately. There is no warning; once the file is double-clicked, it is too
late. Since the AppleScript only deletes a user's home folder and its
contents-files and folders for which the user has permission to do so-it
does not need a password.



What is a user's home folder?
Under Mac OS X, a user's personal files are stored in their home folder.
This is the folder bearing the user's name and a house icon. This is where
a users store documents, music files, photos, movies, as well as all
preferences for the applications they use.



Does this Trojan horse affect any Mac OS X system files?
No, it only deletes a user's home folder and its contents. In order to
delete system files the user would have to enter an administrator's
password, and this would require that the Trojan horse display a dialog for
this purpose.



Does this Trojan horse affect Mac OS 9 or earlier versions of Mac OS?
No, while it only deletes files on Mac OS X, it freezes computers running
Mac OS 9 if it is run. Also, under Mac OS 9 this AppleScript appears with a
normal AppleScript applet icon.



Is there any way to get the deleted files back?
Some file recovery software may be able to recover some or all of the
deleted files, but the best protection is to make regular backups of
personal files, using a program such as Intego Personal Backup X3. Intego
VirusBarrier X cannot recover files; it offers protection if this Trojan
horse is launched.



How can you identify this Trojan horse?
The only way to identify this Trojan horse is from its name and icon. This
Trojan horse is simply an AppleScript applet with a custom icon pasted on
it. When examining the file with the Finder's Get Info command, it shows as
an application. This does not seem surprising, since a user downloading this
expects it to be an installer. Many applications use "web installers", which
are very small files, and allow users to select which modules or parts of
the application they wish to install then downloads only the necessary
files.



Can this Trojan horse spread on its own?
No, this Trojan horse cannot spread or replicate. It is only dangerous when
users download it from web sites or peer-to-peer services.



Can this technique be used with other commands?
Nothing prevents users from creating other, similar AppleScripts, with
different names and custom icons that can run the same damaging command. The
current version that is in the wild only deletes a user's files and folders.
Other such commands could attempt to delete all the files on a Macintosh
computer running Mac OS X, but they would need to request an administrator
password. However, users may not hesitate to type their administrator's
password for what they think is an installer; after all, Apple's Installer
requires this password to install any applications and updates to Mac OS X.



This Trojan horse highlights a serious weakness with Mac OS X. Since it is
built on a Unix foundation, it can run powerful commands very easily. These
commands can delete or damage a user's files with no warning, and
AppleScript offers no protection against malicious commands.



Is there any way to check installers to see if they are malicious?
One way to see if an application is really an AppleScript is to select the
file in the Finder, then press Command+I. The Finder's Get Info window
displays. Click the icon at the top of this window, then press the Delete
key. If any file is indeed a double-clickable AppleScript (or applet), it
displays a generic AppleScript applet icon.

by MacNN Staff