Intego ( says it’s discovered a new Trojan
horse, OSX.Trojan.iServices.A, which copies of Apple’s iWork 09 found
on BitTorrent trackers and other sites containing links to pirated
software. The version of iWork 09, Apple’s productivity suite, are
complete and functional, but the installer contains an additional
package called iWorkServices.pkg.

When installing iWork 09, the iWorkServices package is installed. The
installer for the Trojan horse is launched as soon as a user begins
the installation of iWork, following the installer’s request of an
administrator password (in older versions of Mac OS X, 10.5.1 or
earlier, there will be no password request). This software is
installed as a startup item (in
/System/Library/StartupItems/iWorkServices, a location reserved
normally for Apple startup items), where it has read-write-execute
permissions for root.

Intego says the malicious software connects to a remote server over
the Internet; this means that a malicious user will be alerted that
this Trojan horse is installed on different Macs, and will have the
ability to connect to them and perform various actions remotely. The
Trojan horse may also download additional components to an infected

Intego is issuing this alert to warn Mac users not to download iWork
09 installers from sites offering pirated software. (As of 6 am
Eastern, at least 20,000 people have downloaded this installer.) The
risk of infection is serious, and users may face extremely serious
consequences if their Macs are accessible to malicious users, they

Intego VirusBarrier X4 and X5 with virus definitions dated January
22, 2009 or later protect against this Trojan horse. Intego
recommends that users never download and install software from
untrusted sources or questionable web sites.