(Backdoor.OSX.iWorm.a, Mac.Iservice, OSX.Iservice, Backdoor:MACOS_X/Iservice, OSX_KROWI.A)
Presence of :
* file "/usr/bin/iWorkServices"
* process iWorkServices
Please let BitDefender disinfect your files.
Daniel RADU, Senior Virus Researcher
This malware comes bundled with a modified version of iWork installer available on illegal torrent sites and will get installed at the same time as the original software. Because the installer needs administrator password the malware will also run as an administrator.
Once launched it will:
* check if it's running with administrator rights and will exit if not;
* copy itself in "/usr/bin" directory with "iWorkServices" name;
* add itself to system startup as to run each time computer start;
* try to connect to two p2p servers in order to download additional malware components:
- xxx.xxx.177.146 (port 59201)
- xxxxxxxx.freehostia.com (port 1024).