{"id":5222,"date":"2012-07-24T17:29:04","date_gmt":"2012-07-25T00:29:04","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=5222"},"modified":"2023-03-13T13:55:09","modified_gmt":"2023-03-13T20:55:09","slug":"new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team\/","title":{"rendered":"New Apple Mac Trojan Called OSX\/Crisis Discovered"},"content":{"rendered":"

Intego has discovered a new Trojan called OSX\/Crisis<\/strong>. This threat is a dropper which creates a backdoor when it’s run. It installs silently, without requiring a password, and works only in OSX versions 10.6 and 10.7 \u2013 Snow Leopard and Lion. Update:<\/strong> This threat may run on Leopard 10.5, but it has a tendency to crash. It does not run on the new Mountain Lion 10.8.<\/p>\n

The Trojan preserves itself against reboots (i.e. it establishes persistence), so it will continue to run until it\u2019s removed. Depending on whether or not the dropper runs on a user account with Admin permissions, it will install different components. We have not yet seen if or how this threat is installed on a user’s system; it may be that an installer component will try to establish Admin permissions.<\/p>\n

If the dropper runs on a system with Admin permissions, it will drop a rootkit to hide itself. In either case, it creates a number of files and folders to complete its tasks. It creates 17 files when it\u2019s run with Admin permissions, 14 files when it\u2019s run without. Many of these are randomly named, but there are some that are consistent.<\/p>\n

With or without Admin permissions, this folder is created in the infected user’s home directory:<\/p>\n