Andrew Welch (El Presidente of Ambrosia Software) has analyzed and disassembled a new Mac OS X Trojan horse:
A file called “latestpics.tgz” was posted on a Mac rumors web site http://www.macrumors.com/ , claiming to be pictures of “MacOS X Leopard” (an upcoming version of MacOS X, aka “MacOS X 10.5”). It is actually a Trojan (or arguably, a very non-virulent virus). We’ll call it “Oompa-Loompa” (aka “OSX/Oomp-A”) for reasons that will become obvious.
Coincidentally — or perhaps not? — its vector for propagation is an input manager it installs into /Library/InputManagers/ if you’re foolish enough to be running as the root user or ~/Library/InputManagers/ otherwise.
★ Thursday, 16 February 2006