Who would expect that a virus could hit a Macintosh system? Maybe that thinking is so 5-years ago. In this world of tech innovations, no computer system is safe anymore, everything is vulnerable to attack. Recently, the Flashback Trojan botnet reportedly infected over 600,000 Macs worldwide, targeting the unpatched security holes of the Java application. Mikko Hypponen, F-Secure’s Chief Research Officer, tweeted, “Assuming there are about 45 million Macs out there, Flashback would now have infected more than 1% of them.” Based on the figure above provided by a Russian antivirus company Dr. Web, 0.1% percent of the infected Macs are in the Philippines, while majority is in the U.S.
Apple acknowledged the threat caused by Trojan BackDoor.Flashback.39 and released the update to Java for OS X, called Java for OS X 2012-002. Apple encourages Mac users to update their devices.
F-Secure has posted steps on how to remove the Trojan virus on your Mac.
Manual Removal — Caution: Manual disinfection is a risky process; it is recommended only for advanced users. Otherwise, please seek professional technical assistance. F-Secure customers may also contact our Support.
Manual Removal Instructions
1. Run the following command in Terminal:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
2. Take note of the value, DYLD_INSERT_LIBRARIES
3. Proceed to step 8 if you got the following error message:
“The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”
4. Otherwise, run the following command in Terminal:
grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%
5. Take note of the value after “__ldpath__”
6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):
sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment
sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
7. Delete the files obtained in steps 2 and 5
8. Run the following command in Terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:
“The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”
10. Otherwise, run the following command in Terminal:
grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%
11. Take note of the value after “__ldpath__”
12. Run the following commands in Terminal:
defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
launchctl unsetenv DYLD_INSERT_LIBRARIES
13. Finally, delete the files obtained in steps 9 and 11.
14. Run the following command in Terminal:
ls -lA ~/Library/LaunchAgents/
15. Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.
16. Run the following command in Terminal:
defaults read ~/Library/LaunchAgents/%filename_obtained_in_step15% ProgramArguments
17. Take note of the path. If the filename does not start with a “.”, then you might not be infected with this variant.
18. Delete the files obtained in steps 15 and 17.
Note: To those who do not know where “Terminal” on my Mac is located, just go to the “Application” folder, then “Utilities”, then click “Terminal”. Once the “Terminal” window is open, copy, paste, and run the commands above.