Remove the OSX.RSPlug.A Trojan

Kill SX.RSPlugQuestion any Mac user about what kind of anti-virus program they use and the majority of them will answer ‘none’. A Mac under attack? That’s almost blasphemous, is the expected reaction. Unfortunately all is not hunky dory in the Mac Kingdom, and our precious machines may just be under attack. A piece of malware, dubbed OSX.RSPlug.A trojan horse, is doing the rounds and MacWorld gives some tips on how to disinfect your machine.

To check if you machine has been afflicted with the malware, check the top-level /Library -> Internet Plug-Ins folder, and look for a file named plugins.settings. If it’s there, then you got a bad case of the OSX.RSPlug.A trojan horse.

In OS X 10.5, your DNS entries will be altered to point to a malicious server to handle further requests. This can be disastrous if you are using Paypal, your online bank controls, or any other heavily phished targets.

So how do you combat this problem, and free your Mac from this obnoxiously nasty malware? The easiest route (and most expensive) is to install an anti-virus program like VirusBarrier. Sure boys, it may bruise your Mac ego but hey its either that or skipping surfing porn altogether.

If investing in an Anti-Virus Software is not in the cards, then OS X 10.5 and OS X 10.4 users need to:

  1. Navigate to /Library -> Internet Plug-Ins.
  2. Delete the plugins.settings file and empty the trash. This is the file that resets your DNS info.
  3. Type sudo crontab –r in the terminal and provide your admin password when asked. This will kill the cronjob that runs the malware to change your DNS info if you tried to fix it.
  4. Now, proceed to the Network System Preferences panel and copy the entries on the DNS Server box and retype those same values in the box. Once you’re done, click Apply.
  5. The final step involves rebooting the system.

For more info on OSX.RSPlug.A check out Infinite Loop.

Your system should now be free from the little bugger but just to be on the safe side, avoid installing software from untrusted sources. Yeah we know we sound preachy, but hey its good advice.