Home / malware Worm.Mac.Opener.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Worm.Mac.Opener.A is also known as Worm:MacOS/Opener.G, SH/Renepo.A, Worm/Mac.Opener.A.2, MAC/Opener.A.
Explanation :
This malware is represented by a malicious shell script. Because it needs administrator rights to run successfully it must be opened by accident by an administrator user or by an already present piece of malware.
Once executed it takes the following actions:
* copy itself into "/System/Library/StartupItems"
* add an entry in StartupParameters.plist so as to run at the startup of the OS
* copy the startup script to mounted startup volumes
* disable System Accounting
* disable OS-X firewall
* disable Software Update
* download and install ohPhoneX (software for video conferencing)
* disable LittleSnitch (firewall software)
* change access rights to hostconfig, ssh and cron file so any user can write to them
* turn on File Sharing
* turn on remote login
* turn on Windows Sharing (samba)
* collect user information such as: public and private ip addresses, name of the accounts on the computer, OS-X version, uptime, open-firmware password
* get password file for: OSXvnc, Mail, webservers keychain, Windows shared printers, samba, netinfo,
* modifies LimeWire settings
* download and install John the Ripper (password cracking software)
* download and install Dnsniff (software for sniffing passwords)
* create a hidden admin named: "LDAP-daemon"Last update 21 November 2011
