INTEGO SECURITY MEMO – NOVEMBER 06, 2006 OSX.MACHARENA.A VIRUS

Virus: OSX.MachArena.A virus (aka OSX.Macarena) Discovered: November 2, 2006
Risk: Very low

Description: This proof-of-concept virus, which has not yet been seen
in the wild, was published on a hacker Web site. The virus can only
infect Intel-based OS X computers. It consists of a C source file, an
Assembler ‘dropper’ file, and documentation that explains how to
create a virus that can infect Macintosh OS X binary files. Compiling
the source code creates two binaries, the OS X virus file itself, and
the dropper. The dropper is intended to infect Mac OS X binary files
from a Windows installation on the current machine. This can be
either via Apple’s Boot Camp, or via a virtualization application
such as Parallels Desktop for Mac. The virus only infects mach-o
binary files, not Universal or PowerPC binaries. Mach-o (Mach object
file format) is the native file format used for executables by Mac OS
X’s Mach kernel. The virus does not carry a payload. When run it
infects other executables in the current directory, regardless of
their name or extension.

Means of protection: Intego VirusBarrier X and VirusBarrier X4
(http://www.intego.com/virusbarrier/), with virus definitions dated
November 3, 2006 or later, protect against this virus. VirusBarrierX
recognizes the virus and the dropper file under the names
OSX.MachArena.A and OSX.MachArena.Dropper.A.