AAPL Stock: 112.12 ( + 2.62 )

Printed from

Mac Trojan may funnel files, screenshots to distant servers

updated 01:15 pm EDT, Fri September 23, 2011

Malware currently just minor threat

A newly-detailed Trojan attack is being directed at Macs, say security firms F-Secure and Sophos. Originally spotted in late July, the Trojan relies on two pieces of malware. The first is a downloader identified as "Trojan-Dropper:OSX/Revir.A," which not only retrieves the second piece of software but repeatedly opens a Chinese PDF document -- trojan.pdf -- said to contain offensive political statements. The real purpose of the document is thought to be distracting a person while the second app is downloaded.

Nicknamed "BackDoor:OSX/Imuler.A," the second half of the Trojan configures a launch agent which keeps the malware active, and then connects to a remote server, feeding it a victim's computer username and MAC address. The server can reportedly instruct a besieged system to archive files and upload them, or else capture screenshots for upload. F-Secure comments that Imuler.A currently seems to be working badly or not at all, since it isn't receiving instructions; the company warns, though, that server may simply be in a testing phase, and could later become fully functional.

Both Sophos and F-Secure have produced updated definitions for their antivirus scanners that should cope with the Trojan. Apple has yet to push out new definitions for Lion and Snow Leopard, but the malware is said to be relatively easy to stop manually. People must first stop a process called "checkvir" in the Activity Monitor, and then delete "checkvir" and "checkfir.plist" files from their /username/Library/LaunchAgents/ directory.

by MacNN Staff




  1. dliup

    Joined: Dec 1969



    Apple will provide a security definition within 24 hours to lock out the trojan.

  1. lysolman

    Joined: Dec 1969


    What in the world

    is an offensive political statement?

    Comment buried. Show
  1. testudo

    Joined: Dec 1969


    Re: non-issue

    Of course it's a non-issue. Every mac 'security hole' is a non-issue. Because a patch will be issued. Or a definition. Or it requires physical access. Or requires the user to do something they shouldn't do.

    Comment buried. Show
  1. Grendelmon

    Joined: Dec 1969



    AYFKM? Your responses just keep getting better. Denial.


  1. dliup

    Joined: Dec 1969



    Software cannot correct user stupidity. You are a prime example.

  1. rbodgers

    Joined: Dec 1969



    "Because a patch will be issued. Or a definition. Or it requires physical access. Or requires the user to do something they shouldn't do."

    That same statement is just as valid for Windows. But:

    - not everyone runs their updates timely
    - definitions are not always timely
    - smart people do dumb things ALL THE TIME (especially those of us who should know better)

  1. Evolution_tech

    Joined: Dec 1969



    Another pinhead comment by an ignorant troll.

  1. facebook_William

    Via Facebook

    Joined: Sep 2011


    Apple XProtect v24 is out

    Adds OSX.Revir.A definition.
    Run sudo /usr/libexec/XProtectUpdater or just reboot if you want to be protected now. XProtectUpdater runs every 24 hours from boot time.

  1. byRyan

    Joined: Dec 1969


    stealthy naming

    wow - so two of the files involved in this Trojan are named "Trojan"

    Note to self, don't open files labeled TROJAN

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Polk Hinge Wireless headphones

Polk, a company well-established in the audio market, recently released a new set of headphones aimed at the lifestyle market. The Hin ...

Blue Yeti Studio

Despite being very familiar with Blue Microphones' lower-end products -- we've long recommended the company's Snowball line of mics ...

ZTE Spro 2 Smart Projector

Home theaters are becoming more and more accessible these days, but maybe you've been a bit wary about buying a home projector. And h ...


Most Commented