Comments on: Remove the OSX.RSPlug.A Trojan http://macapper.com/2007/11/10/remove-osxrspluga-trogan/ Mac Apps, Reviews, Previews, Interviews, and Giveaways. Fri, 20 Nov 2009 15:57:29 -0800 http://wordpress.org/?v=2.8.5 hourly 1 By: remove my way trojan http://macapper.com/2007/11/10/remove-osxrspluga-trogan/comment-page-1/#comment-101062 remove my way trojan Tue, 03 Jun 2008 20:14:50 +0000 http://macapper.com/2007/11/10/remove-osxrspluga-trogan/#comment-101062 [...] [...] [...] [...]

]]> By: Dennis http://macapper.com/2007/11/10/remove-osxrspluga-trogan/comment-page-1/#comment-35225 Dennis Sat, 29 Dec 2007 21:16:11 +0000 http://macapper.com/2007/11/10/remove-osxrspluga-trogan/#comment-35225 Posted this on the Macworld thread.... think It might be of some help to people here: Phew...... showed my first trojan horse the door..... Thank you for the great how-to! Glad I recently conquered my Terminal-shyness, otherwise this would really have been a sweaty-hands-affair. One thing puzzles me though. sudo crontab -l got this result: * * * * * "/Library/Internet Plug-Ins/QuickTime.xpt">/dev/null 2>&1 Which is weird... I guess... it's got a different name, even more misleading, maybe this links to the other one? Deleted (copied ofcourse) the Quicktime.xpt file also, just in case. Can anyone shed some light on this one? I still have the file if you're interested. +Edit: I've now figured out that the two files are practically identical, bar some quotes here and there around the $0 (reason?) so if you have the file QuickTime.xpt, REMOVE IT!!!!+ +Cunning, because there also is a flashplayer.xpt file.... which is different, so genuine I guess.+ By the way: My trojan came in this disguise: - codecmpg4291.dmg - opens into disk named: 193 (and still I was not suspicious.... doofus) - install.pkg inside - Opens up into MacVideo installer (nope.... although that's a lot of non -consistent names there, still I wasn't suspicious.... Macs don't have Viruses and Trojans you know.... yeah... right) - Prompts for admin password (yep... I'm ignorant) The DNS-servers showing up in Little-snitch (lookupd) and via scutil were: 0 : 85.255.113.134 1 : 85.255.112.140 Both from: UkrTeleGroup Ltd. Country : Ukraine (UA) (via cyberabuse) My macbookpro normally gets its DNS servers through my Airport Base-station which is my router... so that can't be right. And I'm in Holland, not Ukraine.... I've not mailed the abuse to the Ukrainian ISP, ofcourse. +Edit: During the installation process the installer phones home: 64.28.184.6+ +The Malware distributor seems to be Cernel.net AKA Esthost,+ +See this Webserver forum entry: http://www.webservertalk.com/archive154-2005-12-1316937.html+ Ok...hope this slightly different naming might help others, maybe googling. My macbookpro is getting it's DNS from 10.0.1.1 again, so I think I'm ok. and I swear I'll never surf for porn again! (yeah right) Thnx and Grtz Dennis Posted this on the Macworld thread…. think It might be of some help to people here:

Phew…… showed my first trojan horse the door….. Thank you for the great how-to!
Glad I recently conquered my Terminal-shyness, otherwise this would really have been a sweaty-hands-affair.

One thing puzzles me though.
sudo crontab -l got this result:
* * * * * “/Library/Internet Plug-Ins/QuickTime.xpt”>/dev/null 2>&1
Which is weird… I guess… it’s got a different name, even more misleading, maybe this links to the other one? Deleted (copied ofcourse) the Quicktime.xpt file also, just in case.
Can anyone shed some light on this one? I still have the file if you’re interested.

+Edit: I’ve now figured out that the two files are practically identical, bar some quotes here and there around the $0 (reason?) so if you have the file QuickTime.xpt, REMOVE IT!!!!+
+Cunning, because there also is a flashplayer.xpt file…. which is different, so genuine I guess.+

By the way: My trojan came in this disguise:
- codecmpg4291.dmg
- opens into disk named: 193 (and still I was not suspicious…. doofus)
- install.pkg inside
- Opens up into MacVideo installer (nope…. although that’s a lot of non -consistent names there, still I wasn’t suspicious…. Macs don’t have Viruses and Trojans you know…. yeah… right)
- Prompts for admin password (yep… I’m ignorant)

The DNS-servers showing up in Little-snitch (lookupd) and via scutil were:
0 : 85.255.113.134
1 : 85.255.112.140
Both from: UkrTeleGroup Ltd. Country : Ukraine (UA) (via cyberabuse)
My macbookpro normally gets its DNS servers through my Airport Base-station which is my router… so that can’t be right.
And I’m in Holland, not Ukraine….
I’ve not mailed the abuse to the Ukrainian ISP, ofcourse.

+Edit: During the installation process the installer phones home: 64.28.184.6+
+The Malware distributor seems to be Cernel.net AKA Esthost,+
+See this Webserver forum entry: http://www.webservertalk.com/archive154-2005-12-1316937.html+

Ok…hope this slightly different naming might help others, maybe googling.

My macbookpro is getting it’s DNS from 10.0.1.1 again, so I think I’m ok.
and I swear I’ll never surf for porn again! (yeah right)

Thnx and Grtz
Dennis

]]> By: Tak http://macapper.com/2007/11/10/remove-osxrspluga-trogan/comment-page-1/#comment-29827 Tak Fri, 07 Dec 2007 01:19:25 +0000 http://macapper.com/2007/11/10/remove-osxrspluga-trogan/#comment-29827 I can't find the plugins.settings file. I surely looked in /Library/Internet Plug-ins instead of ~/Library/Internet Plug-ins. And the grayed-out DNS IP addresses are still there! I can’t find the plugins.settings file. I surely looked in /Library/Internet Plug-ins instead of ~/Library/Internet Plug-ins. And the grayed-out DNS IP addresses are still there!

]]> By: blog.stevenbrown.ca » Blog Archive » A Bug’s Life http://macapper.com/2007/11/10/remove-osxrspluga-trogan/comment-page-1/#comment-26232 blog.stevenbrown.ca » Blog Archive » A Bug’s Life Mon, 26 Nov 2007 04:20:53 +0000 http://macapper.com/2007/11/10/remove-osxrspluga-trogan/#comment-26232 [...] has since changed icons. More recently, Shirley pointed out to me that my bug had been used on a Mac site! (Of all things!) Heh. I only posted the graphic on the Nemiver mailing list, so I [...] [...] has since changed icons. More recently, Shirley pointed out to me that my bug had been used on a Mac site! (Of all things!) Heh. I only posted the graphic on the Nemiver mailing list, so I [...]

]]> By: Brushy http://macapper.com/2007/11/10/remove-osxrspluga-trogan/comment-page-1/#comment-22072 Brushy Sat, 10 Nov 2007 13:08:33 +0000 http://macapper.com/2007/11/10/remove-osxrspluga-trogan/#comment-22072 @Tom...Pretty sure it was a tongue in cheek comment aka sarcasm. I recently came across this bug on a customers machine...I guess we should all be thankful it's so easy to remove. @Tom…Pretty sure it was a tongue in cheek comment aka sarcasm.

I recently came across this bug on a customers machine…I guess we should all be thankful it’s so easy to remove.

]]> By: Tom http://macapper.com/2007/11/10/remove-osxrspluga-trogan/comment-page-1/#comment-22065 Tom Sat, 10 Nov 2007 12:43:03 +0000 http://macapper.com/2007/11/10/remove-osxrspluga-trogan/#comment-22065 What are you talking about, skipping porno? You have to manually install this virus from the porn site, there's no 'automated' attack vector. Basically, the only people vulnerable are people who don't read blogs, they just use a mac and install whatever software porn sites tell them to. A rare individual. What are you talking about, skipping porno? You have to manually install this virus from the porn site, there’s no ‘automated’ attack vector. Basically, the only people vulnerable are people who don’t read blogs, they just use a mac and install whatever software porn sites tell them to. A rare individual.

]]>