AAPL Stock: 111.78 ( -0.87 )

Printed from

Mac Trojan may funnel files, screenshots to distant servers

updated 01:15 pm EDT, Fri September 23, 2011

Malware currently just minor threat

A newly-detailed Trojan attack is being directed at Macs, say security firms F-Secure and Sophos. Originally spotted in late July, the Trojan relies on two pieces of malware. The first is a downloader identified as "Trojan-Dropper:OSX/Revir.A," which not only retrieves the second piece of software but repeatedly opens a Chinese PDF document -- trojan.pdf -- said to contain offensive political statements. The real purpose of the document is thought to be distracting a person while the second app is downloaded.

Nicknamed "BackDoor:OSX/Imuler.A," the second half of the Trojan configures a launch agent which keeps the malware active, and then connects to a remote server, feeding it a victim's computer username and MAC address. The server can reportedly instruct a besieged system to archive files and upload them, or else capture screenshots for upload. F-Secure comments that Imuler.A currently seems to be working badly or not at all, since it isn't receiving instructions; the company warns, though, that server may simply be in a testing phase, and could later become fully functional.

Both Sophos and F-Secure have produced updated definitions for their antivirus scanners that should cope with the Trojan. Apple has yet to push out new definitions for Lion and Snow Leopard, but the malware is said to be relatively easy to stop manually. People must first stop a process called "checkvir" in the Activity Monitor, and then delete "checkvir" and "checkfir.plist" files from their /username/Library/LaunchAgents/ directory.

by MacNN Staff





  1. dliup

    Joined: Dec 1969



    Apple will provide a security definition within 24 hours to lock out the trojan.

  1. lysolman

    Joined: Dec 1969


    What in the world

    is an offensive political statement?

    Comment buried. Show
  1. testudo

    Joined: Dec 1969


    Re: non-issue

    Of course it's a non-issue. Every mac 'security hole' is a non-issue. Because a patch will be issued. Or a definition. Or it requires physical access. Or requires the user to do something they shouldn't do.

    Comment buried. Show
  1. Grendelmon

    Joined: Dec 1969



    AYFKM? Your responses just keep getting better. Denial.


  1. dliup

    Joined: Dec 1969



    Software cannot correct user stupidity. You are a prime example.

  1. rbodgers

    Joined: Dec 1969



    "Because a patch will be issued. Or a definition. Or it requires physical access. Or requires the user to do something they shouldn't do."

    That same statement is just as valid for Windows. But:

    - not everyone runs their updates timely
    - definitions are not always timely
    - smart people do dumb things ALL THE TIME (especially those of us who should know better)

  1. Evolution_tech

    Joined: Dec 1969



    Another pinhead comment by an ignorant troll.

  1. facebook_William

    Via Facebook

    Joined: Sep 2011


    Apple XProtect v24 is out

    Adds OSX.Revir.A definition.
    Run sudo /usr/libexec/XProtectUpdater or just reboot if you want to be protected now. XProtectUpdater runs every 24 hours from boot time.

  1. byRyan

    Joined: Dec 1969


    stealthy naming

    wow - so two of the files involved in this Trojan are named "Trojan"

    Note to self, don't open files labeled TROJAN

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular

MacNN Sponsor

Recent Reviews

Dell AD211 Bluetooth speaker

For all of the high-priced, over-engineered Bluetooth speakers in the electronics market, there is still room for mass-market solution ...

VisionTek 128GB USB Pocket SSD

USB flash drives dealt the death blow to both the floppy and Zip drives. While still faster than either of the old removable media, sp ...

Kodak PixPro SL10 Smart Lens Camera

Smartphone imagery still widely varies. Large Megapixel counts don't make for a good image, and the optics in some devices are lackin ...


Most Commented