ALIASES:

AdWare.OSX.Geonei.b (Kaspersky)

 PLATFORM:

Mac OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Adware

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This adware may be manually installed by a user.

  TECHNICAL DETAILS

File Size: 495,439 bytes
File Type: Other
Memory Resident: Yes
Initial Samples Received Date: 16 Sep 2014

Arrival Details

This adware may be manually installed by a user.

Installation

This adware drops the following component file(s):

  • /private/etc/launchd.conf - detected as OSX_GEONCONF.SM or OSX_GEONCONF.SMA
  • /Volumes/Installer/Installer.app
  • /Volumes/InstallGenieo
  • /Applications/Genieo.app
  • /Applications/Uninstall Genieo.app
  • /Applications/InstallMac/Reset Search.app
  • /users/{user}/Library/Caches/com.genieoinnovation.Installer/Cache.db
  • /users/{user}/Library/Preferences/com.genieo.settings.plist
  • /users/{user}/Library/Application Support/com.genieoinnovation.Installer/Completer.app
  • /Library/LaunchAgents/com.genieo.competer.update.plist
  • /Library/LaunchAgents/com.genieo.competer.download.plist
  • /private/tmp/tmpinstallmc.dmg
  • /private/tmp/GenieoInstall.dmg

Other Details

This adware does the following:

  • It loads installation components from the following URLs:
    • {BLOCKED}nstaller.appspot.com/appScreen/css/installmac_default.css
    • {BLOCKED}nstaller.appspot.com /appScreen/js/utilities.js
    • {BLOCKED}nstaller.appspot.com /appScreen/dialog.png
    • {BLOCKED}nstaller.appspot.com /appScreen/recomended.png
    • {BLOCKED}nstaller.appspot.com /appScreen/installer_logo.png
    • {BLOCKED}nstaller.appspot.com /appScreen/progress_bg.png
    • {BLOCKED}nstaller.appspot.com /install/first_time?session_id={session ID}&app_id={id}&offer_id={value}&os_version={Mac OS X Version} &install_version={value}&r={value}&disable_dynamic_update={value}&keyboard_lang={available keyboard language}&chosen_lang={default language}
    • {BLOCKED}nstaller.appspot.com/monetize?session_id={session id}&emid={value}&os_version={Mac OS X Version} &predefined_app_id={value}&predefined_offer_id={value}&event_show_install={value}&is_set_hp_approved={true| false}&is_set_sp_approved=false&is_install_accepted=true&install_id={value}&event_show_offer1={value}&is_offer1_accepted={true|false}&offer1_id={value}&install_download_start={true|false}&install_download_success={true|false}&install_exe_start={true|false}&install_exe_done_status={value}&download_url={value}&download_browser={value}&active_browser={active browser} &default_browser={default browser}& keyboard_lang={available keyboard language}&chosen_lang={default language}&language={language}
  • It reports the following information:
    • default browser
    • active browser
    • keyboard language
    • default language
    • MAC OS X version
  • It connects to the following URLs to report its installation status:
    • {BLOCKED}installer.appspot.com /report?session_id={session id}&emid={value}&os_version={Mac OS X Version}&predefined_app_id={value}&predefined_offer_id={value}&event_show_install={value}&is_set_hp_approved={true | false}&is_set_sp_approved={true|false}&is_install_accepted={true|false}&install_id={value}&event_show_offer1={value}&install_download_start={true | false}}

NOTES:

It displays the following interface upon installation:
{window1.png} {window2.png} {window3.png}

  1. Scan using Trend Micro product and take note of the detected path.
  2. If the detected files are mounted, EJECT the corresponding volumes:
      In the Finder’s menu bar, click Go > Computer.
      In the opened window, right click on volumes where detection is seen.
      Select Eject
    {unmount1.png}{unmount2.png}
  3. Identify and terminate the grayware process using the noted path in the previous step.
      Open the Terminal:
      Applications>Utilities>Terminal or type ‘Terminal’ in Spotlight.
    • Type the following in the terminal:
      ps –A
    • Look for the detected files and take note of their PIDs. If the detected files are not found to be running, please proceed to the next step.
    • In the same terminal, enter the following commands for each grayware PIDs:
      kill {PID}
  4. Uninstall the application.
    In the Finder’s menu bar, click Go > Applications
    Double click “Uninstall Genieo” application and click ok {apps.png}

    The following message is opened in default browser upon successful uninstallation:
    {uninstallsuccess.png}

  5. Delete the grayware directories and files. In the same Terminal, type the following commands:

    sudo rm -R "{grayware path and filename}.dmg"
    sudo rm -R "/Applications/Genieo.app"
    sudo rm -R "/Applications/Uninstall Genieo.app"
    sudo rm -R "/Applications/InstallMac/Reset Search.app"
    sudo rm -R "/users/{user}/Library/Caches/com.genieoinnovation.Installer "
    sudo rm -R "/users/{user}/Library/Preferences/com.genieo.settings.plist"
    sudo rm -R "/users/{user}/Library/Application Support/com.genieoinnovation.Installer”
    sudo rm -R "/Library/LaunchAgents/com.genieo.competer.update.plist"
    sudo rm -R "/Library/LaunchAgents/com.genieo.competer.download.plist"
    sudo rm -R "/private/tmp/tmpinstallmc.dmg"
    sudo rm -R "/private/tmp/GenieoInstall.dmg"

    If the directories and files are not found, please proceed to the next step.

  6. Scan your computer with your Trend Micro product to delete files detected as OSX_GEONEI.LQ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files.