PDA

View Full Version : iChat Virus?



brosenblatt07
11-27-2009, 01:53 PM
Hi. I was away from my computer for a day and when I returned I had an IM from a Screen Name that has been harassing me for a couple of months. They keep trying to video chat me or IM me, but I never answer. When I returned to my computer this morning, there was an IM that I opened and was finally going to say something to the person, but when I opened it, there was a couple of messages saying that they have downloaded all of my information and passwords and files. I am going to attach a photo so you can see. It looks a little fishy. I called Apple and they have never seen it. There are no articles about anything like it on google. The persons SN is bolded which is odd since usually when iChat tells you if someone has signed off or on, the SN is not in bold. Also iChat never gives warning messages like these. I feel like it is some script for iChat that someone started using. If not and someone has in fact hacked my system, which I don't believe someone can do through iChat, can someone let me know what to do. Also if they hacked my system some other way, I don't see why iChat would warn me about it and not something else in the computer. Thanks!

http://img257.imageshack.us/img257/3695/ichatwarning.png

ricks
11-27-2009, 02:06 PM
If you can, scrunch the window down and redo the screenshot. The page is way to big to be easily read.

Rick

unclemac
11-28-2009, 03:15 PM
Could be a worm.......Leap-A (http://www.sophos.com/security/analyses/viruses-and-spyware/osxleapa.html).


See if any of this is present:


OSX/Leap-A is an instant-messaging worm for the Mac OS X platform.

The worm attempts to spread via the iChat instant messaging system, sending itself to available contacts on the infected users' buddy list in a file called latestpics.tgz.

OSX/Leap-A attempts to infect recently used applications. OSX/Leap-A is an instant-messaging worm for the Mac OS X platform.

The worm attempts to spread via the iChat instant messaging system, sending itself to available contacts on the infected users' buddy list in a file called latestpics.tgz. This file is an archive consisting of:

latestpics: the worm executable
._latestpics: a hidden resource file designed to disguise the executable as a JPEG image

OSX/Leap-A installs itself as an application hook by deleting the "apphook" subdirectory of either the /Library/InputManagers/ directory (if run with root permissions) or the ~/Library/InputManagers/ directory (if run as a non-root user) and replacing it with the following three files:

apphook/Info
apphook/apphook.bundle/Contents/Info.plist
apphook/apphook.bundle/Contents/MacOS/apphook

OSX/Leap-A attempts to infect recently used applications by overwriting the original application with a copy of the worm, storing the original application in the file's resource fork. Infected application files have the following extended attribute:

name: oompa
value: loompa

OSX/Leap-A also creates the following temporary files:

/tmp/pic.gz
/tmp/pic
/tmp/latestpics
/tmp/lastespics.tar
/tmp/lastespics.tar.gz
/tmp/lastespics.tgz

and several files under

/tmp/apphook

|

unclemac
11-28-2009, 03:26 PM
Preventive steps would be to change your admin PW to something very secure, as well as other considerations.....depending on if you have this worm or something like it.

More inf (http://www.viruslist.com/en/viruses/encyclopedia?virusid=112895)o on the worm you might have.

Keep in mind that an infected buddy list, either for email of chat is the classic symptom of an infected machine, meaning the machine is infected and trying to chat you, not the human.

Damien
11-28-2009, 06:48 PM
Sounds more like Hockeyshot has the worm and not brosenblatt07

unclemac
11-28-2009, 07:09 PM
Very likely. Not having dealt with it, not sure if having a chat with an infected machine will infect the recipient.......better to be safe than sorry at this point.