Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > macOS > Trojan infestation!

Trojan infestation!
Thread Tools
allblue
Forum Regular
Join Date: May 2005
Location: Somewhere they can't find me
Status: Offline
Reply With Quote
Feb 8, 2006, 05:11 PM
 
As I hadn't run it for a while I gave clamXav a spin and it found 151 Trojans on my HD! The bulk are in User/***/Library/Caches/Java Applets/cache. They are all .zip files, and have the names Trojan.Java.ByteVerify; Trojan.Java.Classloader.B; Trojan.Gummy.ByteVerify and worryingly a few are called Java,Downloader.OpenStream.A. Presumably I should just trash them all. It also listed 25 files in User/***/'.jpi cache' as 'FOUND', of which eight had the word Trojan in the long file name . I used TinkerTool to make the folder visible - can I just trash the whole .jpi cache folder? When searching before posting someone said they had disabled their Java cache to stop this happening - what effect would this have, and how would I do it?
Now here is something I really don't understand. Clam has found several other Trojans outside the Java cache: one attached to a .tiff that came from the European Space Agency site; another attached to the Drive 10 1.1.5 update DMG that came directly from Micromat; and even weirder, several are attached to .psd files - photos taken with my own camera, transferred direct to the HD and then adjusted in Photoshop, hence nothing to do with the web! All of these ones are Trojan.URLspoof.gen. How is this possible?
One other question: clam also listed about 30 visible files (rtf, jpg, gif) but it just lists the file name and does not say FOUND or have any Trojan name next to them. Should I trash those as well?
I have an iMac G4800, 512mb, 10.3.9.
"Believe nothing, no matter where you heard it, or who has said it, not even if I have said it, unless it agrees with your own reason and your own common sense."

Buddha
     
SMacTech
Mac Elite
Join Date: Nov 2001
Location: Trafalmadore
Status: Offline
Reply With Quote
Feb 8, 2006, 05:26 PM
 
Originally Posted by allblue
. How is this possible?
False detection, a bogus program and that's all I can think of, off hand.
     
allblue  (op)
Forum Regular
Join Date: May 2005
Location: Somewhere they can't find me
Status: Offline
Reply With Quote
Feb 8, 2006, 05:39 PM
 
Originally Posted by SMacTech
False detection, a bogus program and that's all I can think of, off hand.
The Java cache issue is real I suspect because I have read about it elsewhere in this forum, but surely the only way one could attach the .psd files would be if the thing was moving around on my HD - but that can't happen on Macs can it? They don't appear to be doing any harm and I have Little Snitch running so they are not calling home or anything. Even so, I am a bit perturbed by it.
"Believe nothing, no matter where you heard it, or who has said it, not even if I have said it, unless it agrees with your own reason and your own common sense."

Buddha
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Feb 8, 2006, 06:50 PM
 
It's very unlikely that you have actual Mac-targeting trojans. How up to date is your version of Clam? If it is not perfectly current (as in you updated it just before your scan) it could easily misidentify what it sees.

This is also a chance to start letting Google do something for you. Enter the name of some of those supposed trojans in Google and see what you get. I looked up some that you posted with TrendMicro's Virus Encyclopedia, and found that all I looked at (that were indeed malware) were targeted at PCs. Yep, every one. The Classloader that Clam found is most likely really part of Java, though

Lesson? Good Macs can collect bad PC malware (so you should be aware of what you have on your machine before you email anyone with a PC). Use the Java console's tools to dump the cache and either disable it or (if you can) reduce it to a much smaller size and empty it regularly.

Glenn -----OTR/L, MOT, Tx
     
allblue  (op)
Forum Regular
Join Date: May 2005
Location: Somewhere they can't find me
Status: Offline
Reply With Quote
Feb 8, 2006, 08:41 PM
 
Thanks for the info gh. I updated clam just before running it so that's ok. Are you saying I should leave the Classloader ones alone, even though clam identified them as Trojan? Would it cause any harm if I deleted them? (I should say I'm not very savvy with what goes on under the hood, and I did have the unfortunate experience once of trying to delete some bits left behind by an app. Search pointed me to a .rsc file in the system files and I deleted it. One archive and install later -d'oh! - I resolved never to fiddle about with things I didn't understand again!)
I'm just so glad I haven't got a peeceeeee!
"Believe nothing, no matter where you heard it, or who has said it, not even if I have said it, unless it agrees with your own reason and your own common sense."

Buddha
     
SSharon
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status: Offline
Reply With Quote
Feb 8, 2006, 10:28 PM
 
Move the files to another folder and see if things still work well. If everything is ok then it's probably safe to delete them.
AT&T iPhone 5S and 6; 13" MBP; MDD G4.
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Feb 9, 2006, 10:38 AM
 
What SSharon said will work great. I think you'll see that even if Classloader is a "good guy" that deleting it from the cache won't hurt-it'll just get reloaded from the valid .jar file when needed.

Glenn -----OTR/L, MOT, Tx
     
allblue  (op)
Forum Regular
Join Date: May 2005
Location: Somewhere they can't find me
Status: Offline
Reply With Quote
Feb 9, 2006, 11:02 AM
 
Thanks for the tips guys. I did as SSharon suggested - put them all in the trash (but did not empty it) and then restarted, and everything is running as smoothly as usual. So I suppose the two lessons from this are 1) it is worthwhile to scan your system from time to time to find these things, and 2) 1 doesn't really matter very much! Pip! Pip!
"Believe nothing, no matter where you heard it, or who has said it, not even if I have said it, unless it agrees with your own reason and your own common sense."

Buddha
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 10:20 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,