- February 16, 2006
- January 27, 2017 11:35:49 AM
Also Known As:
- OSX/Leap-A [Sophos], OSX/Leap [McAfee],
OSX.Leap.A is a worm that targets installations of Macintosh OS X and spreads via iChat Instant Messenger program. It infects files on the Macintosh OS X version 10.4.
The worm may arrive on the compromised computer as an attachment to an iChat Instant Message using the following file name:
This is an archive file that displays a JPG icon in an attempt to disguise itself as a harmless image file.
Once executed, the worm creates the following infection marker in the resource forks of infected files so that files will not be reinfected:
It then sets the following infection marker value:
The worm also creates the following files:
Next, the worm deletes all files from the following folder:
The worm then copies the /tmp/apphook file to the following folder, so that it runs every time an application starts:
Next, the worm uses Spotlight to search for four recently used applications this month that do not require root permissions.
It then searches these files for the extended attribute oompa. If it does not find this attribute, it will infect the selected files.
The worm then infects the selected files by copying the contents of the data fork to the resourse fork of the selected file, and then copying itself to the data fork of the selected file.
The worm monitors all launched applications. Every time the iChat application is launched, the worm sends the file latestpics.tgz to all the iChat contacts.
Writeup By: Costin Ionescu