MacOS.MW2004.Trojan

Printer Friendly Page

Discovered: May 12, 2004
Updated: May 14, 2004 9:39:53 AM
Systems Affected: Mac

MacOS.MW2004.Trojan is a Mac OS X trojan horse that attempts to delete the user's home directory. It masquerades as an installer of Microsoft Word 2004, named "Microsoft Word 2004 OSX Web Install."

Discovered: May 12, 2004
Updated: May 14, 2004 9:39:53 AM
Systems Affected: Mac

MacOS.MW2004.Trojan is a Trojan horse targeted at Mac OS X. It masquerades as an installer of Microsoft Word 2004, named "Microsoft Word 2004 OSX Web Install" (taken from the Microsoft Office "Welcome" application).

When launched under OS X, it attempts to delete the user's home directory (that is, /Users/<current user name>) and all of its contents. The actual deleted files will depend on the user and file permissions.

It is actually a compiled AppleScript file that, when launched under OS X, performs the UNIX shell command:

rm -rf ~

This command attempts to delete the current user's home directory and its contents. Deleting the home directory for most users is not possible, since the root user owns it.

The user may not have permission to delete all the files or folders within the home directory. In these cases an error message appears saying:

"rm: /Users/<current user name>: Permission denied"

However, the trojan deletes many files and folders.

When the user logs in as root, the entire root folder and its contents is deleted. The above message does not appear.