Worm:OSX/Inqtana.A is a Java based proof of concept bluetooth worm that affects OSX 10.4 (Tiger) systems that have not been patched against vulnerability CAN-2005-1333.
Inqtana.A has not been met in the wild and has internal counter that prevents it's operation after 24. February 2006. So it is unlikely that this variant would be a threat to Mac Users.
Patch your system by getting updates from Apple.
Delete following files:
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Inqtana.A arrives to victim system as OBEX Push request, requiring user to accept the data transfer. When the transfer is done Inqtana.A uses directory traversal exploit to copy it's files so that it starts automatically on next reboot.
On reboot the Inqtana.A will activate and look for devices that accept OBEX Push transfers and try to send itself to those devices.
OSX/Inqtana.A affects only Mac OSX 10.4, if you use 10.4 make sure that you have installed latest OS updates from Apple.
When Inqtana.A replicates over bluetooth it tries to send three files to any device it finds over bluetooth that supports OBEX push:
The files are pushed with three separate OBEX Push requests which user has to accept, if user accepts the push requests the files copied to special locations using CAN-2005-1333 directory traversal exploit.
The files com.openbundle.plist and com.pwned.plist are dropped into location from where they are called during system startup. The openbundle.plist will unpack the worm components and com.pwned.plist executes the worm main binary.
F-Secure Total is a security suite that protects all your phones and computers in real time, 24/7 and with award-winning accuracy. Read more about Total and try it free for 30 days, no credit card required.