Threat Encyclopedia

OSX_INQTANA.A

Malware type: Worm

Aliases: OSX.Inqtana.A(Symantec), OSX/Inqtana-A(Sophos), Worm.OSX.Inqtana.a(Kaspersky), MACOS/Inqtana.A(Avira), Java/Inqtana.gen (exact)(F-Prot), OSX/Inqtana.a(McAfee)

In the wild: No

Destructive: No

Language: English

Platform: Macintosh OSX 10.4

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Low

Distribution potential:

Medium

Infection Channel 1 : Propagates via Bluetooth


Description: 

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Behavior Diagram shown below.

OSX_INQTANA.A Behavior Diagram

Malware Overview

This is Trend Micro's detection for a proof-of-concept Java-based worm that affects Macintosh systems running on Mac OSX 10.4.

It takes advantage of a directory traversal vulnerability found in the Bluetooth file and object exchange services on Mac OS X 10.3.9, which could allow remote attackers to read arbitrary files. More information about the said vulnerability can be found on the following Web page:

Upon execution, this Java-based worm searches for any available Bluetooth device. Once a target device has been found, it sends a data transfer request. If a user accepts the data transfer, this worm exploits the mentioned vulnerability to drop certain files into the /Users folder.

Users are advised to refrain from running or clicking on unknown files, especially if they come from an untrusted or unexpected source.

For additional information about this threat, see:

Description created: Feb. 17, 2006 3:06:24 PM GMT -0800


TECHNICAL DETAILS


File type: Java

Size of malware: 4,228 Bytes (uncompressed .CLASS); 186,222 Bytes (compressed .TAR-GZIP)

Initial samples received on: Feb 17, 2006

Compression type: GZIP

Details:

This is Trend Micro's detection for a proof-of-concept Java-based Mac OSX worm that takes advantage of a directory traversal vulnerability found in the Bluetooth file and object exchange services on Mac OS X 10.3.9, which could allow remote attackers to read arbitrary files.

More information about the said vulnerability can be found on the following Web page:

Upon execution, this Java-based worm, which uses the file name INQTEST.CLASS, searches for any available Bluetooth device. Once a target device has been found, it sends a data transfer request. If a user accepts the data transfer, this worm exploits the mentioned vulnerability to drop the following files into the /Users folder:

  • worm-support.tgz - a .TAR-GZIP file that contains this Java-based worm and its components
  • {user name}/Library/LaunchAgents/com.openbundle.plist - a .PLIST file that tells the operating system (OS) to extract the contents of worm-support.tgz to the /Users folder when system restarts
  • {user name}/Library/LaunchAgents/com.pwned.plist - a .PLIST file that tells the OS to execute this Java-based worm when system restarts

(Note: {user name} refers to the name of the currently logged-in user.)

Users are advised to refrain from running or clicking on unknown files, especially if they come from an untrusted or unexpected source.

It affects Macintosh systems running on Mac OSX 10.4.

Analysis By: Michael Stephen Tonido

Revision History:

 
Feb 18, 2006 - Modified Virus Report

SOLUTION


Minimum scan engine version needed: 7.000

Pattern file needed: 3.222.02

Pattern release date: Feb 17, 2006


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Removing Added Files

To do this, locate and delete the following files in the /Users folder:

  • {user name}/Library/LaunchAgents/com.openbundle.plist
  • {user name}/Library/LaunchAgents/com.pwned.plist
  • com.openbundle.plist
  • com.pwned.plist
  • InqTest.class
  • InqTest.java
  • w0rm-support.tgz

(Note: {user name} refers to the name of the currently logged-in user.)

You may also delete the file LIBAVETANABT.JNILIB and the following subfolders in the /Users folder:

  • de
  • javax

(Note: These are non-malicious components of this Java-based worm. Leaving the file and subfolders does not cause any harm to the affected system. However, deleting the said files and subfolders may cause other programs to stop working.)

Running Trend Micro Antivirus

Although this worm primarily targets Macintosh computers, its spread mechanism may allow it to enter Microsoft (MS) Windows computers as well. To rid your MS Windows PC please run your Trend Micro antivirus product.

Scan your computer with Trend Micro antivirus and delete files detected as OSX_INQTANA.A. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

Featured Stories

Connect with us on