April 5, 2012Apple Macs Infected by Flashback Trojan BotA peer of mine just notified me that Apple computers are possibly infected with a trojan virus. You can read about it on ars technica for the details. But more importantly, here's how you check your Mac to see if you are infected. Luckily I'm not. The first step is to open your Applications icon. And then click Utilities at the bottom of the list. See in the next column Terminal? You need to click and open that. See image below. When you open Terminal you're going to see a window that looks like what computers looked like back in 1984. There were no fancy graphics back then. It was just text on the screen and talk about intimidating! You had to enter in text commands to get the machine to do something. No mouses! At the bottom of this post is an image of what the Terminal window should look like on your Mac. See it below the image of the Applications window screen shot? Now, follow these exact instructions: Copy and paste the below line into the Terminal window behind the cursor block, then press the "Enter" key: defaults read /Applications/Safari.app/Contents/Info LSEnvironment Hopefully, it will output the following line:
"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist" If you do not get those exact output lines, you probably have an infection. Go here for some help. Let's hope you're clean like I was. Here are the screen shots of what I'm talking about: Here's what you should see when you click the Terminal application: Posted by Tim Carter at April 5, 2012 2:43 PM Comments
Paste it where? Posted by: Marty at April 5, 2012 4:45 PMTim, thanks for the warning, however, I need to raise a little concern. Instead of clicking on any of the links, I did as I always do, did a google search for Ask Tim the Builder blog (in this case), then looked for the alert. Thanks again for posting the alert. Posted by: Tom Anderson at April 5, 2012 5:07 PMThanks for the heads up! Good thing I'm clean. Posted by: Rick Jimenez at April 5, 2012 5:25 PMLo & Behold: just as I read this Apple is (finally) pushing out a Java update which fixes the hole the the trojan uses to get in. Thanks for the heads up Posted by: JetSet at April 5, 2012 6:01 PMTim: Please remember a lot of people don't know computers like you do. Think about this relative to somebody not as up to speed like you are. "Copy and paste the below line, then press the "enter" key:" Where does one paste this after they have copied it? I'm guessing in the Terminal window....not sure. Posted by: Loren at April 5, 2012 6:06 PMThanks Tim, not infected! I checked my Apple out and everything is OK. Thanks for the heads up. I appreciate this kind of information just as much as the other information that you provide. Thank you. Posted by: Gil at April 5, 2012 11:29 PMI have been an Apple/Mac user since the Performa 600CD and On the monitor face upper left was a > then and underline _ SO, NOW what the hell am I supposed to do ???????? Posted by: Jim Lynde at April 6, 2012 12:01 AMI also checked out my Apple and I am clean. To echo a previous comment, "I appreciate this kind of information just as much as the other information that you provide. Thank you." Keep up the good work. Posted by: Rush at April 6, 2012 10:24 AMJim, you had to double-click to open the terminal. You only clicked it once. Me, I got the message "-bash: efaults: command not found As this is not exactly what Time wrote: "The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"... I have a virus? I hope not. Posted by: Barry Stewart at April 6, 2012 11:40 AMI copied and pasted both lines into the Terminal window and in both cases nothing was outputted. What do I do next? Does this mean my computer is infected? I clicked on "Go here" for help and it sounds like I should not attempt to do a manual removal. If I need it, where do I get professional technical assistance? Posted by: roy viskupic at April 6, 2012 4:26 PMI put the first line in and it gave me exactly what you said it should. When I put the second line in it gave me /Users/(my name)/,etc. instead of /Users/joe/ Am I OK or in trouble?? Posted by: mark at April 7, 2012 11:25 AMThanks for the info. The directions couldn't have been easier. This is the text I got. The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist. Does that mean I'm infected? Posted by: Charles at April 8, 2012 11:15 PMI was researching this and found an easier way to check it out. Thanks for alerting us to this. It was forwarded to me by a friend. https://github.com/jils/FlashbackChecker/wiki Posted by: Michael at April 10, 2012 11:50 AMPost a comment
|
||