Intego has issued a Q&A confirming the existence of a vicious Trojan Horse virus that affects Macs, confirming Macworld UK's public service warning earlier today.
Intego has also published comments from Microsoft, which advise Mac users on what to do, and what not to do, in order to protect themselves from the malicious software, which has the effect of deleting a user's Home folder if initiated. We have published Intego's statements on the matter in full:
Intego announces protection against a new Mac OS X Trojan Horse: AS.MW2004.Trojan
Intego was notified by Macworld UK on May 10, 2004 about a Trojan horse, discovered by one of its readers who downloaded and ran an application from the Gnutella peer-to-peer network. Intego carried out tests on the information received and has identified a Trojan horse - AS.MW2004.Trojan - that affects Mac OS X. This Trojan horse, when double-clicked, permanently deletes all the files in the current user's home folder. Intego has notified Apple, Microsoft and the CERT, and has been working in close collaboration with these companies and organizations.
The AS.MW2004.Trojan is a compiled AppleScript applet, a 108 KB self-contained application, with an icon resembling an installer for Microsoft Office 2004 for Mac OS X. This AppleScript runs a Unix command that removes files, using AppleScript's ability to run such commands. The AppleScript displays no messages, dialogs or alerts. Once the user double-clicks this file, their home folder and all its contents are deleted permanently.
Intego advises all Macintosh users to only download and run applications from trusted sources. However Intego has updated its VirusBarrier X software to address this vulnerability. Intego VirusBarrier X eradicates this Trojan horse, using its virus definitions dated May 11, 2004, and Intego remains diligent to ensure that VirusBarrier X will also eradicate any future viruses that may try to exploit this same technique. All Intego VirusBarrier X users should make sure that their virus definitions are up to date by using the NetUpdate preference pane in the Mac OS X System Preferences.
Questions and answers from Microsoft about the AS.MW2004.Trojan
How did Microsoft find out about this Trojan horse?
Intego, the Macintosh security specialist, notified us.
Do you offer any Web downloads that use this icon?
No. Microsoft does not offer any Web downloads that use the icon identified as Trojan horse, MW2004. Microsoft Office 2004 for Mac should only be installed from retail CDs, and the authentic install icon will only be found in the product install wizard.
What is the recommended way that customers should install Office 2004?
Microsoft Office 2004 for Mac should only be installed from retail CDs, and the authentic install icon will only be found in the product install wizard. When looking for product enhancements from Microsoft, customers should always download from www.microsoft.com or through the new AutoUpdate tool in Microsoft Office 2004 for Mac.
I heard about an individual downloaded the file from a peer-to-peer network, thinking it was a public beta of Microsoft Word 2004. Was there a public beta program for Office 2004 for Mac?
No, there was not a public beta of Office 2004. However, a trial version of the product will soon be available, and should only be downloaded from Microsoft's Web site.
Questions and answers from Intego about the AS.MW2004.Trojan
Where did Intego first find out about this Trojan horse?
Intego received a copy of this Trojan horse on May 10, 2004. It was sent to Intego by an editor with Macworld magazine in the United Kingdom, who received it from a reader. The reader in question downloaded the file from the Gnutella peer-to-peer network, thinking that it was a public beta of Microsoft Word 2004. When he double-clicked the application, it immediately and permanently erased his home folder and all its contents.
Have you informed Apple, Microsoft and the CERT about this Trojan horse?
Yes, we informed Apple, Microsoft and the CERT as soon as we examined this Trojan horse and discovered its dangers. We have been in close contact with Apple and Microsoft, and have had several meetings and conference calls with them to ensure that this Trojan horse is controlled as quickly as possible.
Has Microsoft made any comments about this Trojan horse?
Microsoft made the following comments: "Microsoft has verified that it does not offer any Web downloads that use this icon. This icon should only be found when customers install Microsoft Office for Mac from retail CDs, and will be found in the product install wizard. When looking for downloads from Microsoft, always download from www.microsoft.com or through the new AutoUpdate tool in Microsoft Office 2004 for Mac."
How exactly does this Trojan horse work?
When a user double-clicks the file, the Trojan horse runs its AppleScript code. The AppleScript runs a Unix command, which immediately deletes the current user's home folder, as well as all the files and folders it contains. This command does not move files to the Trash; it deletes them immediately. There is no warning; once the file is double-clicked, it is too late. Since the AppleScript only deletes a user's home folder and its contents-files and folders for which the user has permission to do so-it does not need a password.
What is a user's home folder?
Under Mac OS X, a user's personal files are stored in their home folder. This is the folder bearing the user's name and a house icon. This is where a users store documents, music files, photos, movies, as well as all preferences for the applications they use.
Does this Trojan horse affect any Mac OS X system files?
No, it only deletes a user's home folder and its contents. In order to delete system files the user would have to enter an administrator's password, and this would require that the Trojan horse display a dialog for this purpose.
Does this Trojan horse affect Mac OS 9 or earlier versions of Mac OS?
No, while it only deletes files on Mac OS X, it freezes computers running Mac OS 9 if it is run. Also, under Mac OS 9 this AppleScript appears with a normal AppleScript applet icon.
Is there any way to get the deleted files back?
Some file-recovery software may be able to recover some or all of the deleted files, but the best protection is to make regular backups of personal files, using a back-up program such as Intego Personal Backup X3. Intego VirusBarrier X cannot recover files; it offers protection if this Trojan horse is launched.
How can you identify this Trojan horse?
The only way to identify this Trojan horse is from its name and icon. This Trojan horse is simply an AppleScript applet with a custom icon pasted on it. When examining the file with the Finder's Get Info command, it shows as an application. This does not seem surprising, since a user downloading this expects it to be an installer. Many applications use "Web installers", which are very small files, and allow users to select which modules or parts of the application they wish to install then downloads only the necessary files.
Can this Trojan horse spread on its own?
No, this Trojan horse cannot spread or replicate. It is only dangerous when users download it from Web sites or peer-to-peer services.
Can this technique be used with other commands?
Nothing prevents users from creating other, similar AppleScripts, with different names and custom icons that can run the same damaging command. The current version that is in the wild only deletes a user's files and folders. Other such commands could attempt to delete all the files on a Macintosh computer running Mac OS X, but they would need to request an administrator password. However, users may not hesitate to type their administrator's password for what they think is an installer; after all, Apple's Installer requires this password to install any applications and updates to Mac OS X.
This Trojan horse highlights a serious weakness with Mac OS X. Since it is built on a Unix foundation, it can run powerful commands very easily. These commands can delete or damage a user's files with no warning, and AppleScript offers no protection against malicious commands.
Is there any way to check installers to see if they are malicious?
One way to see if an application is really an AppleScript is to select the file in the Finder, then press Command+I. The Finder's Get Info window displays. Click the icon at the top of this window, then press the Delete key. If any file is indeed a double-clickable AppleScript (or applet), it displays the following generic AppleScript applet icon (pictured above)."