1. Symantec/
  2. Security Response/
  3. OSX.Leap.A

OSX.Leap.A

Risk Level 1: Very Low

Discovered:
February 16, 2006
Updated:
January 27, 2017 11:35:49 AM
Also Known As:
OSX/Leap-A [Sophos], OSX/Leap [McAfee],
Systems Affected:
Mac
OSX.Leap.A is a worm that targets installations of Macintosh OS X and spreads via iChat Instant Messenger program. It infects files on the Macintosh OS X version 10.4.

The worm may arrive on the compromised computer as an attachment to an iChat Instant Message using the following file name:
latestpics.tgz

This is an archive file that displays a JPG icon in an attempt to disguise itself as a harmless image file.

Once executed, the worm creates the following infection marker in the resource forks of infected files so that files will not be reinfected:
oompa

It then sets the following infection marker value:
loompa

The worm also creates the following files:
/tmp/latestpics
/tmp/latestpics.tgz
/tmp/hook
/tmp/apphook
/tmp/pic.gz

Next, the worm deletes all files from the following folder:
~/Library/InputManagers

The worm then copies the /tmp/apphook file to the following folder, so that it runs every time an application starts:
~/Library/InputManagers

Next, the worm uses Spotlight to search for four recently used applications this month that do not require root permissions.

It then searches these files for the extended attribute oompa. If it does not find this attribute, it will infect the selected files.

The worm then infects the selected files by copying the contents of the data fork to the resourse fork of the selected file, and then copying itself to the data fork of the selected file.

The worm monitors all launched applications. Every time the iChat application is launched, the worm sends the file latestpics.tgz to all the iChat contacts.
Writeup By: Costin Ionescu
Summary| Technical Details

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube