OSX_LEAP.A

Malware type: Worm

Aliases: OSX.Leap.A(Symantec), OSX/Leap-A(Sophos), IM-Worm.OSX.Leap.a(Kaspersky), Worm/OSX.Leap.A(Avira), MacOS/Leap.A (exact)(F-Prot), OSX/Leap!hook(McAfee)

In the wild: Yes

Destructive: Yes

Language: English

Platform: Macintosh OSX 10.4

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 Medium

Infection Channel 1 : Propagates via instant messaging applications

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

OSX_LEAP.A Behavior Diagram

Malware Overview

This is Trend Micro's detection for a worm that affects Macintosh computers running on Mac OSX 10.4.

This worm spreads via an instant messaging application, Apple iChat, and arrives using the file name LATESTPICS.TGZ. The said file, however, does not run automatically but has to be double-clicked so that it is uncompressed. When uncompressed, it drops its main executable component named LATESTPICS, as well as a hidden resource file named _LATESTPICS, which uses the JPEG icon as a stealth mechanism. LATESTPICS must again be double-clicked for this worm to be able to execute its routines.

Users are therefore advised to refrain from running or clicking on unknown files from instant messengers, especially if it comes from a questionable source.

In order to perform its propagation routine, this worm first attempts to install itself as an application hook named Input Manager. It does the said action by deleting any existing APPHOOK folders. It then replaces the said folders with its own APPHOOK folder containing certain files.

For additional information about this threat, see:

Description created: Feb. 16, 2006 7:39:36 PM GMT -0800

TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 39,596 Bytes

Initial samples received on: Feb 16, 2006

Payload 1: Overwrites existing APPHOOK folders

Details:

This is Trend Micro's detection for a worm that affects Macintosh computers running on Mac OSX 10.4.

This worm spreads via an instant messaging application, Apple iChat, and arrives using the file name LATESTPICS.TGZ. The said file, however, does not run automatically but has to be double-clicked so that it is uncompressed. When uncompressed, it drops its main executable component named LATESTPICS, as well as a hidden resource file named _LATESTPICS, which uses the JPEG icon as a stealth mechanism. LATESTPICS must again be double-clicked for this worm to be able to execute its routines.

Users are therefore advised to refrain from running or clicking on unknown files from instant messengers, especially if it comes from a questionable source.

This worm copies the files LATESTPICS and _LATESTPICS into the system's /tmp folder and compresses the said files under the file name LATESTPICS.TGZ.

It also drops the following files in the said /tmp folder:

  • LATESTPICS.TAR
  • LATESTPICS.TAR.GZ
  • PIC
  • PIC.GZ

In order to perform its propagation routine, this worm first attempts to install itself as an application hook named Input Manager. It does the said action by deleting any existing APPHOOK folders in LIBRARY/INPUTMANAGERS (if run with root permissions) or ~/LIBRARY/INPUTMANAGERS (if run without root permisions). It then replaces the said folders with its own APPHOOK folder containing the following files:

  • Info
  • APPHOOK.BUNDLE

The file APPHOOK.BUNDLE contains the routine that attempts to send the file LATESTPICS.TGZ to contacts in the affected user�s Apple iChat application.

Analysis By: Michael de Leon Lactaotao

Updated By: Paul Albert Ramos Arana

Revision History:

First pattern file version: 3.219.00
First pattern file release date: Feb 18, 2006
 
Feb 21, 2006 - Modified Virus Report

SOLUTION


Minimum scan engine version needed: 7.000

Pattern file needed: 3.219.00

Pattern release date: Feb 18, 2006


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Deleting Malware Files

To remove this malware from affected systems, delete its malicious dropped files:

  1. On Mac OSX task bar, click Finder.
  2. In the search input box, type the following then press Enter:
    latestpics
  3. If the file exists, hold the Ctrl key while clicking on the aforementioned file.
  4. In the drop down box, choose Move to Trash.
  5. Repeat steps 2 to 4 to delete the following file:
    latestpics.tgz
  6. Hold the Ctrl key and click on the Trash icon in the task bar.
  7. Select Empty Trash to completely remove the malware files from the system.

Deleting Hidden Malware Files

To delete hidden files dropped by this malware, you need to use the Terminal application.

  1. Open the Terminal application using the Finder, navigate through the following location:
    Applications>Utilities>Terminal
  2. In the Terminal application, type the following then press Enter:
    cd /Library/inputmanagers/apphook
    (Note: The aforementioned path is case sensitive and may vary from system to system.)
  3. Delete the files info and Apphook.Bundle if they exist by using the rm (remove) command. Type the following commands:
    • rm info
    • rm Apphook.Bundle
    (Note: Notice that the rm command is composed of the string rm followed by the malware file name.)
  4. Navigate to the following folder:
    ~/tmp
  5. Delete the following files if they exist using the same procedure as discussed in step 3:
    • Latestpics.tar
    • Latestpics.tar.gz
    • Pic
    • Pic.gz
  6. Close the Terminal application.



Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.