Video Screencast Help
Security Response

Do the Macarena!

Created: 02 Nov 2006 08:00:00 GMT • Updated: 23 Jan 2014 18:55:40 GMT
Peter Ferrie's picture
0 0 Votes
Login to vote

We received a virus on Thursday morning that parasitically infects OSX Mach-O format files, without relying on resource forks. It's called OSX/Macarena. If you have read the OSX/Leap paper from this year's Virus Bulletin conference, you will have seen some suggestions about possible infection methods. Those suggestions were all ignored by the virus author in this case. Instead, the virus writer has found a rather unexpected region of memory in which to place the code, along with a way to gain immediate control when an infected file is executed. There is no payload in this virus—it simply replicates. However, it won't replicate very well, because it is restricted to the current directory. On Windows systems it is common to have directories like "Windows" and "Windows\system32" full of executable files; but, files aren't stored like that on OSX systems. Stay tuned: I'll post any further updates in this blog as they become available.