http://www.macintouch.com/opener02.html#oct31
Macintouch has posted a script that'll remove the Opener malware from an infected system. But how do you save this script and how do you run it? It's just text.
#!/bin/bash
################################################## ##############################################
# closer - this is the door closer
#
# This will turn most system services (ie SMB, SSH, Apache) off
# even if they were on before opener and will match kill a
# bunch of processes
#
# "What is wrong with us? Nothing.
#
# Just don't take your security for granted. Open a door, and we'll walk it.
# All you have to do is keep your doors closed,
# or watch who's walking around outside."
# Hackenslacker
################################################## ##############################################
# Originally written by hmartin
# This script runs in bash (as is noted by the very first line of this script)
# To run this script you need admin access
# Get the name of the evil script to remove
if [ -z "$1" ]
then
echo "Usage: `basename $0` malware name"
echo "If you are unsure what to use then run these commands or just use 'opener'"
echo "ls -1 /System/Library/StartupItems/ > StartupItems"
echo "diff CleanStartupItems StartupItems"
exit 1
fi
rm -rf /System/Library/StartupItems/"${1}"
# Remove from any mounted startup volume.
ls /Volumes | while read vol; do
if test -d /Volumes/"${vol}"/System/Library ; then
rm -rf /Volumes/"${vol}"/System/Library/StartupItems/"${1}"
fi
done
# If this script is run by anyone other than root it warns the user, but tries to disinfect anway
# Most of the commands in the script will just generate errors if it isn't run as root
if [ `id -u` != "0" ]; then
echo "This script is not running as root, probably won't work"
exit
fi
# Enable system accounting
# How to test whether it's currently on or off?
# Clear out ohphoneX
rm -rf /private/.phone/
killall -9 -m ohphoneX
# Enable OS X built-in firewall
defaults write /Library/Preferences/com.apple.sharing.firewall state yes &
# Restore LittleSnitch Prefs
if test -d /Library/StartupItems/LittleSnitch ; then
echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" > /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo "<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo "<plist version=\"1.0\">" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo "<dict>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo " <key>Description</key>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo " <string>Loading Little Snitch</string>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo " <key>OrderPreference</key>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo " <string>First</string>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo " <key>Provides</key>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo " <array>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo " <string>LittleSnitch</string>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo " </array>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo "</dict>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo "</plist>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
fi
# Kill KRec
killall -9 -m KRec
rm -rf /Library/Preferences/KRec*
# Turn ssh off
echo "service ssh" > /private/etc/xinetd.d/ssh
echo "{" >> /private/etc/xinetd.d/ssh
echo "disable = yes" >> /private/etc/xinetd.d/ssh
echo "socket_type = stream" >> /private/etc/xinetd.d/ssh
echo "wait = no" >> /private/etc/xinetd.d/ssh
echo "user = root" >> /private/etc/xinetd.d/ssh
echo "server = /usr/libexec/sshd-keygen-wrapper" >> /private/etc/xinetd.d/ssh
echo "server_args = -i" >> /private/etc/xinetd.d/ssh
echo "groups = yes" >> /private/etc/xinetd.d/ssh
echo "flags = REUSE IPv6" >> /private/etc/xinetd.d/ssh
echo "session_create = yes" >> /private/etc/xinetd.d/ssh
echo "}" >> /private/etc/xinetd.d/ssh &
echo "SSHSERVER=-NO-" >> /etc/hostconfig
# Turn FileSharing and webserving off
echo "AFPSERVER=-NO-" >> /etc/hostconfig
killall AppleFileServer
echo "SMBSERVER=-NO-" >> /etc/hostconfig
echo "WEBSERVER=-NO-" >> /etc/hostconfig
# Lock system files back up
chmod 644 /etc/hostconfig
chmod 444 /etc/xinetd.d/ssh
chmod -R 755 /etc/periodic/daily /etc/periodic/weekly /etc/periodic/monthly
chflags uchg /etc/hostconfig /etc/xinetd.d/ssh /etc/daily /etc/weekly /etc/monthly
# Delete all that hard earned info
rm -r /.info
find . -maxdepth 2 -name "Public" -type d -exec rm -rf '{}/.info' \;
rm -rf /Library/Preferences/.indexed/v_m.txt
# No idea what the default LW settings are supposed to be...
# Can anyone confirm if this works?
# I'd rather not trash the NI db
# nidump -destroy . /users/LDAP-daemon
# How to cut the last line of the cron log deletion jobs?
# Bye john
rm -rf /Library/Preferences/jtr
killall -9 -m john
# Misc
chmod 775 /Library
# Remove dsniff
rm -rf /Library/Preferences/dsstart
killall -9 -m dsniff
killall -9 -m dsstart
# This will definately need a lot more work
# Probably uploading known good version and reinstalling them
# Anyone want to host
# Should forwarding be turned off?
# sysctl -w net.inet.ip.forwarding=0