Checking Your Mac for the Flashback Trojan

 

Mac’s aren’t supposed to get viruses, right? That’s strictly a Windows (or other operating system) thing, right? Well news over the past week of the Java-borne Flashback virus has gotten some Mac users (read: me) thinking otherwise. Reportedly, more than 600,000 Macs may be infected with the virus.

 

Did you get your Apple system update yet? Did you get it before the infection occurred? If you answered either of those questions in the negative, you might want to check to see if you have the virus in your system and get your system update as soon as possible. The Apple update is detailed here.

 

You might be wondering how to check to see if you have the virus, and how would you eradicate it if you did. Yesterday, a link to F-Secure circled the Web with instructions on how to determine if you have the virus and how to get rid of it if you do. In a “nutshell”, F-Secure recommends the following steps:

 

Manual Removal Instructions

1. Run the following command in Terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

2. Take note of the value, DYLD_INSERT_LIBRARIES
3. Proceed to step 8 if you got the following error message:

“The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”

4. Otherwise, run the following command in Terminal:

grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%

5. Take note of the value after “__ldpath__”
6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):

sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment

sudo chmod 644 /Applications/Safari.app/Contents/Info.plist

7. Delete the files obtained in steps 2 and 5
8. Run the following command in Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:

“The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”

10. Otherwise, run the following command in Terminal:

grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%

11. Take note of the value after “__ldpath__”
12. Run the following commands in Terminal:

defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

launchctl unsetenv DYLD_INSERT_LIBRARIES

13. Finally, delete the files obtained in steps 9 and 11.

 

I know what you’re thinking – no way, Jose, am I going to play around with command line voodoo. Even F-Secure cautions this “operation” is not for the faint of heart. I recommend you hit the link above to F-Secure if you are one of those daredevil do-it-yourselfers to read all of the qualifications and extra information and proceed with extreme caution if you choose this option.

 

If you are more like me, looking for the quick and easy, then check out this link to a couple of zipped files that can do the heavy lifting for you. These AppleScripts hosted by CloudApp basically do the work of the multi-step F-Secure process for detecting the virus when you download and unzip them. There are two because there are two areas of your hard drive that are targeted by the virus. Click the link above and download the zip, open and then open each of the files (trojan-check and trojan-check-2) independently. What you are looking for is the following image:

 

 

 

The key words being “does not exist.” If anything other than “does not exist” shows up, then head to F-Secure at the link above and either bite the bullet yourself and go through the manual removal process, get your IT savvy friend to help or head to the Apple Store for the professional touch.

 

I hope your day is filled with the words “do not exist.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s