Visible Symptoms
- Presence of the file "latestpics.gz" or similar, in the /tmp folder
Detailed AnalysisThis virus is a proof of concept coded for OS X systems. This virus has two
main spreading vectors:
- iChat file attachment receipt from an infected user
- as a companion virus on an already infected system
The virus author intended this threat to function as a companion virus, or
basically, to first load itself, and then launch "tagged" binaries
that have become infected. Due to bugs in the code, the infected app doesn't
run.
iChat Propagation
This threat could arrive via an infected iChat "buddy list" contact.
The file may be received as "latestpics.tgz" or similar. If the recipient
attempts to open the archive file, the resulting file could resemble a picture
file. On an uninfected system that is not running as the Administrator, attempts
to run the virus will be slowed by the request by the system to enter the Admin
password. This is due to the nature of the virus running as an executable instead
of a (data) picture file.
The virus copies itself to the /tmp folder for storage, and iterates iChat
contacts, then attempts to send itself to contacts that are logged on.
Companion Virus Propagation
This virus intends to infect binaries and pass execution on to infected after
first running the virus code. Due to an algorithmic bug in the virus code, the
infected (original app) code is never executed.
Miscellaneous
The virus sets an extended attribute (metadata) value for infected binaries
to "loompa", very likely a reference to the children's classic "Willy
Wonka". |