Discovered: February 16, 2006
Updated: January 27, 2017 11:35:49 AM
Also Known As: OSX/Leap-A [Sophos], OSX/Leap [McAfee],
Systems Affected: Mac

OSX.Leap.A is a worm that targets installations of Macintosh OS X and spreads via iChat Instant Messenger program. It infects files on the Macintosh OS X version 10.4.

Antivirus Protection Dates

  • Initial Rapid Release version February 16, 2006
  • Initial Daily Certified version February 16, 2006
  • Latest Daily Certified version February 16, 2006
  • Initial Weekly Certified release date February 22, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Costin Ionescu

Discovered: February 16, 2006
Updated: January 27, 2017 11:35:49 AM
Also Known As: OSX/Leap-A [Sophos], OSX/Leap [McAfee],
Systems Affected: Mac

OSX.Leap.A is a worm that targets installations of Macintosh OS X and spreads via iChat Instant Messenger program. It infects files on the Macintosh OS X version 10.4.

The worm may arrive on the compromised computer as an attachment to an iChat Instant Message using the following file name:
latestpics.tgz

This is an archive file that displays a JPG icon in an attempt to disguise itself as a harmless image file.

Once executed, the worm creates the following infection marker in the resource forks of infected files so that files will not be reinfected:
oompa

It then sets the following infection marker value:
loompa

The worm also creates the following files:
/tmp/latestpics
/tmp/latestpics.tgz
/tmp/hook
/tmp/apphook
/tmp/pic.gz

Next, the worm deletes all files from the following folder:
~/Library/InputManagers

The worm then copies the /tmp/apphook file to the following folder, so that it runs every time an application starts:
~/Library/InputManagers

Next, the worm uses Spotlight to search for four recently used applications this month that do not require root permissions.

It then searches these files for the extended attribute oompa. If it does not find this attribute, it will infect the selected files.

The worm then infects the selected files by copying the contents of the data fork to the resourse fork of the selected file, and then copying itself to the data fork of the selected file.

The worm monitors all launched applications. Every time the iChat application is launched, the worm sends the file latestpics.tgz to all the iChat contacts.

Writeup By: Costin Ionescu