Details:
This is Trend Micro's detection for a worm that affects Macintosh computers running on Mac OSX 10.4.
This worm spreads via an instant messaging application, Apple iChat, and arrives using the file name LATESTPICS.TGZ. The said file, however, does not run automatically but has to be double-clicked so that it is uncompressed. When uncompressed, it drops its main executable component named LATESTPICS, as well as a hidden resource file named _LATESTPICS, which uses the JPEG icon as a stealth mechanism. LATESTPICS must again be double-clicked for this worm to be able to execute its routines.
Users are therefore advised to refrain from running or clicking on unknown files from instant messengers, especially if it comes from a questionable source.
This worm copies the files LATESTPICS and _LATESTPICS into the system's /tmp folder and compresses the said files under the file name LATESTPICS.TGZ.
It also drops the following files in the said /tmp folder:
- LATESTPICS.TAR
- LATESTPICS.TAR.GZ
- PIC
- PIC.GZ
In order to perform its propagation routine, this worm first attempts to install itself as an application hook named Input Manager. It does the said action by deleting any existing APPHOOK folders in LIBRARY/INPUTMANAGERS (if run with root permissions) or ~/LIBRARY/INPUTMANAGERS (if run without root permisions). It then replaces the said folders with its own APPHOOK folder containing the following files:
The file APPHOOK.BUNDLE contains the routine that attempts to send the file LATESTPICS.TGZ to contacts in the affected user�s Apple iChat application.
Analysis By: Michael de Leon Lactaotao
Updated By: Paul Albert Ramos Arana
Revision History: