AAPL Stock: 118.88 ( + 1.13 )

Printed from

Mac Trojan may funnel files, screenshots to distant servers

updated 01:15 pm EDT, Fri September 23, 2011

Malware currently just minor threat

A newly-detailed Trojan attack is being directed at Macs, say security firms F-Secure and Sophos. Originally spotted in late July, the Trojan relies on two pieces of malware. The first is a downloader identified as "Trojan-Dropper:OSX/Revir.A," which not only retrieves the second piece of software but repeatedly opens a Chinese PDF document -- trojan.pdf -- said to contain offensive political statements. The real purpose of the document is thought to be distracting a person while the second app is downloaded.

Nicknamed "BackDoor:OSX/Imuler.A," the second half of the Trojan configures a launch agent which keeps the malware active, and then connects to a remote server, feeding it a victim's computer username and MAC address. The server can reportedly instruct a besieged system to archive files and upload them, or else capture screenshots for upload. F-Secure comments that Imuler.A currently seems to be working badly or not at all, since it isn't receiving instructions; the company warns, though, that server may simply be in a testing phase, and could later become fully functional.

Both Sophos and F-Secure have produced updated definitions for their antivirus scanners that should cope with the Trojan. Apple has yet to push out new definitions for Lion and Snow Leopard, but the malware is said to be relatively easy to stop manually. People must first stop a process called "checkvir" in the Activity Monitor, and then delete "checkvir" and "checkfir.plist" files from their /username/Library/LaunchAgents/ directory.

by MacNN Staff




  1. dliup

    Joined: Dec 1969



    Apple will provide a security definition within 24 hours to lock out the trojan.

  1. lysolman

    Joined: Dec 1969


    What in the world

    is an offensive political statement?

    Comment buried. Show
  1. testudo

    Joined: Dec 1969


    Re: non-issue

    Of course it's a non-issue. Every mac 'security hole' is a non-issue. Because a patch will be issued. Or a definition. Or it requires physical access. Or requires the user to do something they shouldn't do.

    Comment buried. Show
  1. Grendelmon

    Joined: Dec 1969



    AYFKM? Your responses just keep getting better. Denial.


  1. dliup

    Joined: Dec 1969



    Software cannot correct user stupidity. You are a prime example.

  1. rbodgers

    Joined: Dec 1969



    "Because a patch will be issued. Or a definition. Or it requires physical access. Or requires the user to do something they shouldn't do."

    That same statement is just as valid for Windows. But:

    - not everyone runs their updates timely
    - definitions are not always timely
    - smart people do dumb things ALL THE TIME (especially those of us who should know better)

  1. Evolution_tech

    Joined: Dec 1969



    Another pinhead comment by an ignorant troll.

  1. facebook_William

    Via Facebook

    Joined: Sep 2011


    Apple XProtect v24 is out

    Adds OSX.Revir.A definition.
    Run sudo /usr/libexec/XProtectUpdater or just reboot if you want to be protected now. XProtectUpdater runs every 24 hours from boot time.

  1. byRyan

    Joined: Dec 1969


    stealthy naming

    wow - so two of the files involved in this Trojan are named "Trojan"

    Note to self, don't open files labeled TROJAN

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented