Backdoor:OSX/Olyx.A connects to a remote server to receive further instructions, without knowledge or permission from the user.
Disinfection & Removal
- Open Activity Monitor, select startp and click Quit Process
- Open Terminal then execute the following:
- sudo rm -f /Library/Application Support/google/startp
- sudo rm -f ~/Library/LaunchAgents/www.google.com.tstart.plist
- sudo rm -f /tmp/google.tmp
On installation, the malware drops and executes the following:
- /Library/Application Support/google/startp
This component connects to a hard-coded IP address (located in Korea) to get additional commands.
The following launchpoint is created for the dropped file:
The trojan also replace the following file with a copy of itself: