OSX_VENTIR.A
Trojan.OSX.Ventir.a (Kaspersky), OSX/Ventir-A (Sophos), OSX/Ventir.A (ESET)
Mac OS X
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
18,296 bytes
Mach-O
No
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Process Termination
This Trojan terminates the following processes if found running in the affected system's memory:
- updated
- update
NOTES:
It executes the following file:
- {malware bundle's resource folder}/updated
SOLUTION
9.700
Scan your computer with your Trend Micro product to delete files detected as OSX_VENTIR.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
NOTES:
Please perform the following as Step 1 of the solution:
Step 1. Identify and terminate files detected as OSX_VENTIR.A
To terminate the malware/grayware process:
1. Scan your computer with your Trend Micro product and take note of the names of the malware/grayware detected.
2. Open a Terminal window. To do this, double-click Applications > Utilities > Terminal in Finder.
3. Enter the following command:
ps -A -ww -o pid,command
This will output lines with the following format:
{process ID} {command line}
4. In the list of running programs, locate the lines containing the malware/grayware files detected earlier, and the file {malware bundle's resource folder}/updated. Take note of the process IDs that come before the command line.
5. For each malware/grayware process ID, enter the following command:
kill {process ID}
6. To check if the malware/grayware processes has been terminated, re-enter the command ps -A -ww -o pid,command.
7. Close the Terminal application. To do this, press ⌘ (Command) + Q.
Did this description help? Tell us how we did.