MacTech Alert:
Information on Mac OS X Trojan Horse

There’s a been a lot of hoopla about the “first” Trojan Horse on Mac OS X.
As those that have been around the industry for years know, this is not the
first infection on the Mac, but the Mac is well known for not being ladened
with virus, malware, adware, trojan horses, and worms.

As first reported by readers of MacRumors.com, and discussed with great
detail on Ambrosia Software’s web site at:

(http://www.ambrosiasw.com/forums/index.php?showtopic=102379)

a file called “latestpics.tgz” was posted, claiming to be pictures of “Mac
OS X Leopard.” For those of you that don’t know, Leopard is the code name
for the next major release of Mac OS X, version 10.5.

Most in the industry are calling this a trojan horse, but some are calling
it a virus (although it’s non-virulant.) It has been nick-named the
“Oompa-Loompa” (aka “OSX/Oomp-A”) for because it is checking for the
attribute “oompa.” It’s also being called “OSX/Leap-A” or “OSX/Leap”.

What is important to know about this trojan horse is that it’s not
particularly easy to catch, and you should not panic. As Andrew Welch at
Ambrosia Software describes:

You cannot be infected by this unless you do all of the following:

1) Are somehow sent (via email, iChat, etc.) or download the
“latestpics.tgz” file

2) Double-click on the file to decompress it

3) Double-click on the resulting file to “open” it

…and then for non-Admin users, it fails to infect most applications.

OSX/Leap-A will require an administrator password if you are not running as
an administrator.

You cannot simply “catch” the virus. Even if someone does send you the
“latestpics.tgz” file, you cannot be infected unless you un-archive the
file, and then open it.

Symantec has a very detailed look at what the virus looks like, and what
happens when you open it at:
(http://securityresponse.symantec.com/avcenter/venc/data/osx.leap.a.html#technicaldetails)

Anti-virus maker Sophos has a description of OSX/Leap-A (which they term a
virus) on their web site at:
(http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html)

Like the others, Intego, makers of VirusBarrier, has already updated their
software and has a FAQ posted to their site at:
(http://www.intego.com/news/pr77.asp)

And last, but not least, McAfee has updated their software and talks of the
characteristics of OSX/Leap at (http://vil.nai.com/vil/content/v_138595.htm)

As reported by MacCentral, Apple commented with a statement “Leap-A is not
a virus, it is malicious software that requires a user to download the
application and execute the resulting file,” said Apple. “Apple always
advises Macintosh users to only accept files from vendors and Web sites
that they know and trust. We have a guide to safely handling files received
from the Internet at
(http://docs.info.apple.com/article.html?artnum=108009).”