OSX_GEONEI.LQ
October 24, 2014
ALIASES:
AdWare.OSX.Geonei.b (Kaspersky)
PLATFORM:
Mac OS
OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:
INFORMATION EXPOSURE:
Threat Type: Adware
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This adware may be manually installed by a user.
TECHNICAL DETAILS
File Size:
495,439 bytes
File Type:
Other
Memory Resident:
Yes
Initial Samples Received Date:
16 Sep 2014
Arrival Details
This adware may be manually installed by a user.
Installation
This adware drops the following component file(s):
- /private/etc/launchd.conf - detected as OSX_GEONCONF.SM or OSX_GEONCONF.SMA
- /Volumes/Installer/Installer.app
- /Volumes/InstallGenieo
- /Applications/Genieo.app
- /Applications/Uninstall Genieo.app
- /Applications/InstallMac/Reset Search.app
- /users/{user}/Library/Caches/com.genieoinnovation.Installer/Cache.db
- /users/{user}/Library/Preferences/com.genieo.settings.plist
- /users/{user}/Library/Application Support/com.genieoinnovation.Installer/Completer.app
- /Library/LaunchAgents/com.genieo.competer.update.plist
- /Library/LaunchAgents/com.genieo.competer.download.plist
- /private/tmp/tmpinstallmc.dmg
- /private/tmp/GenieoInstall.dmg
Other Details
This adware does the following:
- It loads installation components from the following URLs:
- {BLOCKED}nstaller.appspot.com/appScreen/css/installmac_default.css
- {BLOCKED}nstaller.appspot.com /appScreen/js/utilities.js
- {BLOCKED}nstaller.appspot.com /appScreen/dialog.png
- {BLOCKED}nstaller.appspot.com /appScreen/recomended.png
- {BLOCKED}nstaller.appspot.com /appScreen/installer_logo.png
- {BLOCKED}nstaller.appspot.com /appScreen/progress_bg.png
- {BLOCKED}nstaller.appspot.com /install/first_time?session_id={session ID}&app_id={id}&offer_id={value}&os_version={Mac OS X Version} &install_version={value}&r={value}&disable_dynamic_update={value}&keyboard_lang={available keyboard language}&chosen_lang={default language}
- {BLOCKED}nstaller.appspot.com/monetize?session_id={session id}&emid={value}&os_version={Mac OS X Version} &predefined_app_id={value}&predefined_offer_id={value}&event_show_install={value}&is_set_hp_approved={true| false}&is_set_sp_approved=false&is_install_accepted=true&install_id={value}&event_show_offer1={value}&is_offer1_accepted={true|false}&offer1_id={value}&install_download_start={true|false}&install_download_success={true|false}&install_exe_start={true|false}&install_exe_done_status={value}&download_url={value}&download_browser={value}&active_browser={active browser} &default_browser={default browser}& keyboard_lang={available keyboard language}&chosen_lang={default language}&language={language}
- It reports the following information:
- default browser
- active browser
- keyboard language
- default language
- MAC OS X version
- It connects to the following URLs to report its installation status:
- {BLOCKED}installer.appspot.com /report?session_id={session id}&emid={value}&os_version={Mac OS X Version}&predefined_app_id={value}&predefined_offer_id={value}&event_show_install={value}&is_set_hp_approved={true | false}&is_set_sp_approved={true|false}&is_install_accepted={true|false}&install_id={value}&event_show_offer1={value}&install_download_start={true | false}}
NOTES:
It displays the following interface upon installation:
{window1.png}
{window2.png}
{window3.png}
- Scan using Trend Micro product and take note of the detected path.
- If the detected files are mounted, EJECT the corresponding volumes:
- In the Finder’s menu bar, click Go > Computer.
- In the opened window, right click on volumes where detection is seen.
- Select Eject
- Identify and terminate the grayware process using the noted path in the previous step.
- Open the Terminal:
- Type the following in the terminal:
ps –A - Look for the detected files and take note of their PIDs. If the detected files are not found to be running, please proceed to the next step.
- In the same terminal, enter the following commands for each grayware PIDs:
kill {PID}
Applications>Utilities>Terminal or type ‘Terminal’ in Spotlight. - Type the following in the terminal:
- Uninstall the application.
In the Finder’s menu bar, click Go > Applications
Double click “Uninstall Genieo” application and click ok {apps.png}The following message is opened in default browser upon successful uninstallation:
{uninstallsuccess.png} - Delete the grayware directories and files. In the same Terminal, type the following commands:
sudo rm -R "{grayware path and filename}.dmg"
sudo rm -R "/Applications/Genieo.app"
sudo rm -R "/Applications/Uninstall Genieo.app"
sudo rm -R "/Applications/InstallMac/Reset Search.app"
sudo rm -R "/users/{user}/Library/Caches/com.genieoinnovation.Installer "
sudo rm -R "/users/{user}/Library/Preferences/com.genieo.settings.plist"
sudo rm -R "/users/{user}/Library/Application Support/com.genieoinnovation.Installer”
sudo rm -R "/Library/LaunchAgents/com.genieo.competer.update.plist"
sudo rm -R "/Library/LaunchAgents/com.genieo.competer.download.plist"
sudo rm -R "/private/tmp/tmpinstallmc.dmg"
sudo rm -R "/private/tmp/GenieoInstall.dmg"If the directories and files are not found, please proceed to the next step.
- Scan your computer with your Trend Micro product to delete files detected as OSX_GEONEI.LQ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files.