Backdoor:OSX/MacKontrol.A connects to a remote server to receive further instructions, without the knowledge or permission from the user.
Manual Removal Instructions
- 1. Open Activity Monitor, select launched, and click Quit Process.
- 2. Open Terminal, then execute the following:
- rm /Library/launched
- rm ~/Library/LaunchAgents/com.apple.FolderActionsxl.plist
MacKontrol.A is dropped into the system by malicious Word documents that exploit the vulnerability identified by CVE-2009-0563.
The malware drops the following copy of itself:
It creates the following launchpoint for the file above:
The malware connects tofreetibet2012[...].xicp.com[...] to obtain additional commands.
It is capable of performing the following actions:
- Deleting files
- Terminating processes
- Getting system info, such as system version, username, hostname, etc.
- Getting process lists
- Opening remote shell
- Listing files
- Uploading, downloading and executing files
- Removing launchpoint