Over 600,000 Apple Mac computers running on OS X have been infected with a flashback Trojan virus called BackDoor.Flashback.39.
Doctor Web, a Russian antivirus company, first reported on Thursday that 550,000 Mac OS X machines were infected with the flashback Trojan virus, most of which were in the United States and Canada. However, that number grew to over 600,000 according to the Twitter account of Dr. Web malware analyst Sorokin Ivan.
Much to Mac users' dismay, as the machines are known for their lack of ability to be infected with viruses, 56.6 percent of Macs with the Trojan were in the U.S. with less than 20 percent in both Canada and the UK.
This once again refutes claims by experts that there are no cyber-threats to Mac OS X, Doctor Web said.
The virus, called Trojan BackDoor.Flashback, appears on machines with an unknown language and can enter Macs without a password needed. According to Dr. Web, users are redirected to a bogus site from a compromised resource or via a traffic distribution system. Links embedded in Google Search Engine Results Page (SERP) exploit three Java components in Mac OS X and caught the machine to become infected with BackDoor.Flashback.39.
But how can you tell if your Mac has been infected with the Flashback Trojan virus? Here is a guide from F-Secure how to determine if you have the virus along with removal instructions. However, F-Secure notes that the manual method of getting rid of the virus is tricky and should only be completed by advanced users.
- 1. Run the following command in Terminal:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
- 2. Take note of the value, DYLD_INSERT_LIBRARIES
- 3. Proceed to step8if you got the following error message:
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
- 4. Otherwise, run the following command in Terminal:
grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2%
- 5. Take note of the value after __ldpath__
- 6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):
sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment
sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
- 7. Delete the files obtained in steps 2 and 5
- 8. Run the following command in Terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
- 9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:
The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist
- 10. Otherwise, run the following command in Terminal:
grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%
- 11. Take note of the value after __ldpath__
- 12. Run the following commands in Terminal:
defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
launchctl unsetenv DYLD_INSERT_LIBRARIES
- 13. Finally, delete the files obtained in steps 9 and 11.