OS X Worm discovered: “Oompa-Loompa” (aka “OSX/Oomp-A”)

Full discussion is available at MacInTouch: timely news and tips about the Apple Macintosh

A file called “latestpics.tgz” was posted on a Mac rumors web site http://www.macrumors.com/ , claiming to be pictures of “MacOS X Leopard” (an upcoming version of MacOS X, aka “MacOS X 10.5”). It is actually a Trojan (or arguably, a very non-virulent virus). We’ll call it “Oompa-Loompa” (aka “OSX/Oomp-A”) for reasons that will become obvious. [...]

You cannot be infected by this unless you do all of the following:

1) Are somehow sent (via email, iChat, etc.) or download the “latestpics.tgz” file

2) Double-click on the file to decompress it

3) Double-click on the resulting file to “open” it

and then for most users, you must also enter your Admin password.
 
You cannot simply “catch” the virus. Even if someone does send you the “latestpics.tgz” file, you cannot be infected unless you unarchive the file, and then open it. [...]
 
If you are a programmer, attached is the disassembly of the executable (it’s just a plain text file) for your reading pleasure. This is just the main executable portion of the code, not the embedded “apphook” InputManager code.

Symantec Security Response: OSX.Leap.A
OSX.Leap.A is a worm that runs on the Macintosh OS X and spreads via iChat Instant Messenger program.

Also Known As: OSX/Leap-A [Sophos], CME-4, OSX/Leap [McAfee]

Type: Worm
Systems Affected: Macintosh OS X
Technical details:
Symantec Security Response is currently investigating this threat and will post more information as it becomes available.

[First ever virus for mac os X discovered

OSX/Leap-A worm spreads via iChat instant messaging software
 
Experts at SophosLabs, Sophos’s global network of virus, spyware and spam analysis centers, have announced the discovery of the first virus for the Apple mac os X platform. The virus, named OSX/Leap-A (also known as OSX/Oompa-A) spreads via instant messaging systems.
 
The OSX/Leap-A worm spreads via the iChat instant messaging system, forwarding itself as a file called latestpics.tgz to contacts on the infected users’ buddy list. When the latestpics.tgz archive file is opened on a computer it disguises its contents with a JPEG graphic icon in an attempt to fool people into thinking it is harmless.
 
The worm uses the text “oompa” as an infection marker in the resource forks of infected programs to prevent it from reinfecting the same files.
...
 
Sophos customers have been automatically protected against the worm since 12:25 GMT, 16 February 2006.

(more…)

Leave a Reply

You must be logged in to post a comment.