Threat Description

Worm: OSX/Tored.A

Details

Category: Malware
Type: Worm
Platform: OSX
Aliases: OSX.Worm.Tored.A, Email-Worm.OSX.Tored.a, OSX/Tored-Fam (Sophos), Backdoor:MacOS/Tored.A (Microsoft)

Summary


Worm:OSX/Tored.A is a worm that propagates through infected e-mails and is capable of functioning as a backdoor and keylogger.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


The Tored worm is compiled using RealBasic and has functions pertaining to glink terminal emulator.

Installation

Tored.A distributes copies of itself in infected e-mails. The e-mails have the following characteristics:

The "Subject" text is:

  • For Mac OS X ! :(If you are not on Mac please transfer this mail to a Mac and sorry for our fault :)

The "From" field is:

  • AppleFu(2 random letters)cker@mail.(random letters)

The body text can be any of the following:

  • Hi
  • Hey
  • Hello
  • y0
  • Selem alaykom
  • Friend ! :) ,
  • friend
  • dude
  • man
  • you
  • fucky :D , just kidding,so
  • wassup ?
  • how it is going
  • I missed you ! ^^
  • what is up there?
  • what is new ?
  • how are you
  • sup?
  • Traducting and decrypting message .... :
  • Traducting and decrypting message .... :Sir , Your Text !
  • Traducting and decrypting message .... :Error For Sending ,It Is Important to Get Your Data
  • Traducting and decrypting message .... :Chek It
  • Traducting and decrypting message .... :Crypted Message Has Been An Attachement , To Chek Your Message , Chek Your Attchement
  • Traducting and decrypting message .... :Check
  • Traducting and decrypting message .... :Your Identidie Has Been ....Chek Attchement For More Information
  • Traducting and decrypting message .... :You Has Been Comprimased , updating tools are as an attachement !
  • Traducting and decrypting message .... :Credi Money Has Been Sent As A Binary File for thanks for the updating, Chek
  • Traducting and decrypting message .... :New update tools
  • Traducting and decrypting message .... :Chek your update application !
  • Traducting and decrypting message .... :Your information was ...

Once executed, the worm copies itself to the startup items folder to ensure that it executes automatically at each system startup.

The worm also checks for the any virtual volumes connected on the infected machine.

Activity

On execution, Tored.A listens to TCP port 9999.

If it is able to make a remote connection, it can then perform the following actions:

  • Update itself
  • Perform DDOS
  • Spam
  • Download and execute Additional Files
  • BOT functionalities

Once connected, Tored.A can also forward system information to the malware author(s), such as:

  • IP address
  • Mac Address and Subnet, with the text "Infected and boted by OSX.Raedbot.B++"

Tored.A also queries the Keychain application and performs the following:

  • Gets the attribute
  • Gets the Item
  • Lock and Unlock an Item
  • Delete an Item
Propagation

To find e-mail addresses to send the e-mail messages to, Tored.A queries the local Address book and retrieves the following information:

  • Contact
  • Group
  • Jobtitle
  • Bday
  • PhoneNumbers
  • Homepage
  • EmailAddresses
  • AIMScreenNames
  • JabberScreenNames
  • MSNScreenNames
  • YahooScreenNames
  • ICQNumbers

The worm uses its own SMTP engines to send e-mails to the harvested addresses. To perform its mass mail, the worm connects to the following SMTP servers:

  • smtp.9online.fr
  • mail.club-internet.fr
  • mail.diligo.fr
  • smtp.free.fr
  • smtp.infonie.fr
  • smtp.libertysurf.fr
  • smtp.nerim.fr
  • mail.cybercable.fr
  • mail.oreka.com
  • smtp.wanadoo.fr
  • mail.worldnet.fr
  • smtp.laposte.net

Once it is connected, it sends the following Information:

The "From" field can be any of the following:

  • br@fh.tn
  • av@av.tn
  • fucker@fuck.fu
  • ser@jhfd.it
  • Ma@ry.am
  • apple@service.tn

The "Subject" text can be any of the following:

  • Hi , Chek
  • Sir , Your Text !
  • Error For Sending ,It Is Important to Get Your Data
  • Chek It
  • Crypted Message Has Been An Attachement , To Chek Your Message , Chek Your Attchement
  • Check
  • Your Identidie Has Been ....Chek Attchement For More Information
  • You Has Been Comprimased , Chek !
  • Credi Money Has Been Sent As A Binary File , Chek
  • New porn tools
  • Chek your XXX application !
  • Your information was ...




Description Created: 2009-05-06 06:17:00.0

Description Last Modified: 2009-08-19 10:49:29.0


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More