Backdoor:OSX/iWorkServ.A is a trojan backdoor that installs itself on Mac OSX computers.
The F-Secure security product will automatically remove the file.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
iWork is a suite of productivity applications created by Apple Inc.
The legitimate trial version of iWork can be downloaded from:
There are illegitimate copies of iWork 2009 distributed on file sharing sites.
Some of these illegitimate copies contain a malicious backdoor with peer-to-peer functionality.
The backdoor uses a file called iWorkServices and is part of the installer package. This file is detected as iWorkServ.A.
Based on the code the file should install itself to:
It does so with equivalent - read+write+execute attribute.
Upon execution, the backdoor checks if it is run as administrator(sudo mode) by using "_geteuid" and "_getpwuid" API and then testing the output for "root".
If it is not executed with sudo rights, it will just exit.
It checks if the file is executed with a filename of "iWorkServices". If it doesn't it will delete the file "/tmp/.iWorkServices". It then create the following files:
The iWorkServices files are copies of itself.
The "StartupParameters.plist" file contains the following data:
It may attempt to connect to the following:
An attacker is capable of downloading and/or executing files using the following P2P commands: