Backdoor:OSX/Olyx.B connects to a remote server to receive further instructions, without the knowledge or permission from the user.
Manual Removal Instructions
- 1. Open Activity Monitor, select AudioServer, and click Quit Process.
- 2. Open Terminal, then execute the followings:
- rm /Library/Audio/Plug-Ins/AudioServer
- rm ~/Library/LaunchAgents/com.apple.DockActions.plist
The malware drops the following copy of itself:
It creates the following launchpoint for the file above:
The malware connects to a remote server to obtain additional commands. The server varies between samples. As of this writing, there are two known servers:
The backdoor is capable of performing the following actions:
- Downloading and uploading files
- Executing shell commands