OSX_VENTIR.A

 Analysis by: Christopher Daniel So

 ALIASES:

Trojan.OSX.Ventir.a (Kaspersky), OSX/Ventir-A (Sophos), OSX/Ventir.A (ESET)

 PLATFORM:

Mac OS X

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

18,296 bytes

File Type:

Mach-O

Memory Resident:

No

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Process Termination

This Trojan terminates the following processes if found running in the affected system's memory:

  • updated
  • update

NOTES:
It executes the following file:

  • {malware bundle's resource folder}/updated

  SOLUTION

Minimum Scan Engine:

9.700

Scan your computer with your Trend Micro product to delete files detected as OSX_VENTIR.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

Please perform the following as Step 1 of the solution:

Step 1. Identify and terminate files detected as OSX_VENTIR.A

To terminate the malware/grayware process:

1. Scan your computer with your Trend Micro product and take note of the names of the malware/grayware detected.

2. Open a Terminal window. To do this, double-click Applications > Utilities > Terminal in Finder.

3. Enter the following command:

ps -A -ww -o pid,command

This will output lines with the following format:

{process ID} {command line}

4. In the list of running programs, locate the lines containing the malware/grayware files detected earlier, and the file {malware bundle's resource folder}/updated. Take note of the process IDs that come before the command line.

5. For each malware/grayware process ID, enter the following command:

kill {process ID}

6. To check if the malware/grayware processes has been terminated, re-enter the command ps -A -ww -o pid,command.

7. Close the Terminal application. To do this, press ⌘ (Command) + Q.


Did this description help? Tell us how we did.