a virus in the wild

It's finally come to pass: a Mac virus has made it out into the wild. The folks over at MacRumors got pwned. Someone posted a message to their forums that claimed to have screenshots of Leopard, and some number of folks fell all over themselves to download and open the file.

If someone were to have downloaded and tried to run the file, it opened up a Terminal.app window and tried to do its business. The user would have to enter their administrator password for the virus (well, it's more correct to call it a Trojan horse) to do anything. But if someone were to have done this, then it takes screenshots from the user's computer and attempts to use Fire.app to send them to someone (one presumes the author). Additionally, it tries to replicate itself to all of the computers on your Bonjour network. There are some other reports, including that it tries to include a code stub into all executables. It's not fully clear yet all of what's going on; I'm sure that there will be more information as time passes. There is a disassembly of the executable, but it's incomplete.

I have to admit that I have a difficult time feeling much sympathy for people who download some random thing off of a forum and they get fried. This is doubly true when the poster from the forum has never posted anything before this. It's just asking for trouble. You should always be careful when downloading, regardless of what platform you're on. No platform is immune, and there's always going to be some wanker out there who's going to want to do something like this.

(Of course, I need to have a piece of humble pie myself, since I just told someone a couple of days ago that there are no Mac viruses.)

Comments

• Anonymous
  February 15, 2006
  The comment has been removed
• Anonymous
  February 16, 2006
  The comment has been removed
• Anonymous
  February 16, 2006
  The comment has been removed