Backdoor:OSX/Imuler.A contacts a remote server for instructions; it may then steal files or capture a screenshot of the infected computer system, which is then forwarded to the remote server.
Allow the F-Secure security product to remove the relevant files.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
Backdoor:OSX/Imuler.A may be variously dropped or installed onto a system by variants in the Trojan-Dropper:OSX/Revir family.
Upon execution, the backdoor drops a copy of itself to the following location:
It creates the following launch point:
It also creates the following file, containing its Command and Control, or C&C, server:
The malware downloads a command line tool from the external site
Note: As of this writing, %server% can be any of the following -
The downloaded file is then saved as:
The malware obtains the external IP address and current time by connecting to the following URLs:
It collects system information, then uploads the collected information to the following location:
Collected information includes the following:
The malware then makes a HTTP POST request containing the%botid% to the following URLs, presumably to report that the infected host is ready to receive commands:
The malware contacts a remote server (the C&C server) to get its instructions. The URL is based on the following formula:
Based on the instructions received, the backdoor is capable of performing the following actions:
After receiving the commands, the malware makes a HTTP HEAD request the to following URL, presumably to report that the infected host has successfully receive the commands: