{"id":6067,"date":"2012-09-21T11:28:55","date_gmt":"2012-09-21T18:28:55","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=6067"},"modified":"2016-02-12T10:32:04","modified_gmt":"2016-02-12T18:32:04","slug":"new-imuler-variant-found-steer-clear-of-your-dirty-pics","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/new-imuler-variant-found-steer-clear-of-your-dirty-pics\/","title":{"rendered":"New Imuler Variant Found–Steer Clear of “Your Dirty Pics”"},"content":{"rendered":"

Update – September 23, 2012<\/strong><\/p>\n

This Trojan is being targeted at Tibetan activists. It has been reported as being received in a threatening email with the following text:<\/p>\n

Subject:<\/em>
\n“F*** you [recipient name]<\/em>! I got your dirty naked photos.”<\/p>\n

Body:<\/em>
\n“F*** you A******! You are a stupid jerk!\u00a0 I got your dirty naked photos.
\nYou’d better take care of yourself and get out of my way.
\nUnderstand??
\nF*** off!!!!!!!!!!!”<\/p>\n

____<\/p>\n

Intego has discovered a new version of the Imuler Trojan horse, which was first discovered in September 2011<\/a>. Right now the risk is considered to be low \u2013 a sample of this malware was found on the VirusTotal website in a ZIP archive named \u201cyour dirty pics.zip.\u201d Inside the ZIP file is an application with an icon making it look like an image. If the file is run, it installs a backdoor without the need for an admin password.<\/p>\n

Below is a screenshot of the contents of the ZIP, which were housed in a file called “Your Dirt” (we took the liberty of covering the naughty bits):<\/p>\n

\"\"<\/p>\n

The malware quickly deletes itself, replacing the original application with a real JPEG image corresponding to the one that was an application. The image is then displayed in the user\u2019s default image viewer. There is no visible trace of the application after this point, but it does remain active as a backdoor on the system.<\/p>\n

The Trojan creates the following malicious files on an affected system:<\/p>\n