F-Secure
Tools
Backdoor:OSX/Imuler.A
Summary
Backdoor:OSX/Imuler.A contacts a remote server for instructions; it may then steal files or capture a screenshot of the infected computer system, which is then forwarded to the remote server.
Disinfection
Automatic
Allow F-Secure Anti-Virus for Mac to remove the relevant files.
Manual Removal
- Open Activity Monitor
- Select checkvir then click Quit Process
- Delete the following files:
- /users/%user%/library/LaunchAgents/checkvir
- /users/%user%/library/LaunchAgents/checkvir.plist
Protection
Protect your Mac against threats with F-Secure Anti-Virus for Mac.
Additional Details
Backdoor:OSX/Imuler.A is downloaded onto a system by Trojan-Dropper:OSX/Revir.A
Activity
Upon execution, the backdoor drops a copy of itself to the following location:
- /users/%user%/library/LaunchAgents/checkvir
It creates the following launch point:
- /users/%user%/library/LaunchAgents/checkvir.plist
Then contacts a remote server (the Command and Control, or C&C server) to get its instructions. The remote server location is based on the following formula:
- h t t p://www.tekli[...].org/users/%host_id%/xnocz1
- Where %host_id% is composed of the elements - %user%%pad%%mac%:
- %user% - The account name of the infected user
- %pad% - A series of "X" characters to make %host_id% 20 characters long
- %mac% - MAC address of the machine
- Where %host_id% is composed of the elements - %user%%pad%%mac%:
At the time of writing, the server does not return any instructions. Depending on the instructions received, the backdoor is capable performing the following actions:
- Collect files to an archive, then upload it to the C&C
- Capture an image of the computer screen, then upload it to the C&C
Our Browsing Protection blocks the C&C server.