OSX_SEADOOR.A
Mac OS X
Threat Type: Backdoor
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Backdoor Routine
This Backdoor connects to the following URL(s) to send and receive commands from a remote malicious user:
- {BLOCKED}esmsc.sytes.net via port 7777
As of this writing, the said servers are currently inaccessible.
NOTES:
It adds the following Property List file to be able to execute at system startup:
- /Users/{Current Username}/Library/LaunchAgent/UserEvent.System.plist
The said .plist file execute and let it stay in running in memory the following file:
- /User/Shared/UserEvent.app/Contents/MacOS/UserEvent
Upon initial execution, it displays the following image:
SOLUTION
NOTES:
Restart in Safe Mode.
Restart your machine.
Hold the Shift button, before the Apple Bootup Logo appears.
Deleting Malware File
To do this, locate and delete the following files in the /Users/Shared folder:
- UserEvent
Deleting Autostart .plist file
In the Terminal application, type the following then press Enter:
- rm /Users/{Current Username}/Library/LaunchAgent/UserAgent.System.plist
(Note: The aforementioned path is case sensitive and may vary from system to system.)
Restart your machine normally.
Scan your computer with your Trend Micro product to delete files detected as OSX_SEADOOR.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.