Backdoor:OSX/Imuler.B contacts a remote server for instructions; it may then steal files or capture a screenshot of the infected computer system, which is later forwarded to the remote server.
The F-Secure security product will automatically remove the file.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
Backdoor:OSX/Imuler.B may be variously dropped or installed onto a system by variants in the Trojan-Dropper:OSX/Revir family.
Upon execution, the backdoor drops a copy of itself to the following location:
It creates the following launch point:
It also creates the following file, containing its Command and Control, or C&C, server:
The malware obtains the external IP address and current time by connecting to the following URLs:
It collects system information, then uploads the collected information to the following location:
Collected information includes the following:
The malware then makes a HTTP POST containing the%botid% to the following URL, presumably to associate the bot to the previous session:
The malware then checks if there is a Wireshark process that is running. It will skip the rest of its routine if found. Otherwise, it makes another HTTP POST containing the%botid% to the following URL, presumably to report that the infected host is ready to receive commands:
Note: In the analyzed sample,%server% waswww.ouchmen.com
The malware contacts a remote server (the C&C server) to get its instructions. The URL is based on the following formula:
Based on the instructions received, the backdoor is capable of performing the following actions:
After receiving the commands, the malware makes a HTTP HEAD request the to following URL, presumably to report that the infected host has successfully receive the commands: