Symptoms

Removal instructions:

Analyzed By

Technical Description:

           This malware comes in the form of a malicious applescript which can reach a system either by social engineering (where the attacker tricks the user to run it) or by means of an exploit.
        
           Once executed it takes the following actions:

- tries to copy itself in "/Library/Caches"
- modifies SystemLoginItems.plist to be run at startup
- disables System Accounting
- disables logging
- changes syslog.conf to disable logging
- deletes logs "utmp" and "wtmp" to hide it's presence
- stops OSX firewall and disables it from running at startup
- disables Norton Antivirus Update
- disables Software Update
- installs and activates logKext (keylogger)
- enables web server (Apache)
- installs phpshell
- get Open Firmware Password
- gets password hashes for all user accounts
- tries to brute-force passwords for the user accounts
- kills Little Snitch (firewall software)
- enables ssh
- enables ARD and VNC
- saves local and public IP addresses
- tries to send a mail to the malware writer with information
        * username
        * password
        * ip address
        * user accounts hashes