Mac OS X Tiger has been hit by an instant messaging Trojan – the first ever to target the platform.
The Trojan is being called the "Oompa-Loompa Trojan horse". It is also known as "OSX/Oomp-A" or "Leap-A". It only affects Mac OS X Tiger systems.
Leap-A propagates itself through iChat, forwarding itself as a file called "latestpics.tgz" to an infected user's buddy list.
What it does
When a user double-clicks on the file, expecting to see a picture, the program inserts a file called apphook.bundle into the user's InputManagers folder. This file then works to replicate itself and affect applications, which can, but don't always, stop working.
The file retains an icon to help it pose as a harmless JPEG. The InputManagers folder sits in the Library folder of a user's account, or in the System Library folder.
The Trojan exploits Spotlight to find and infect the four most recently-used Cocoa applications each time you use one. Cocoa applications include most Apple applications, such as Safari, Mail and Address Book.
The apphook.bundle Input Manager then attempts to send a copy of the original file, latestpics.tgz, to every person on a user's iChat buddy list.
Low risk but take precautions
An in-depth analysis of the malware by Ambrosia Software's team of developers also identified that the Trojan may have been intended to propagate itself using email too.
"It looks like the author intended to get it to send the 'latestpics.tgz' file out via email as well, but never got around to writing that code," writes Ambrosia president Andrew Welch.
Intego, Symantec and other security vendors have already issued patches to battle the software, which they describe as "low risk".
Intego warns that because the malware propagates itself using iChat, posing as a person that can be trusted, "users should be additionally careful when receiving an unexpected attachment via iChat from someone in their buddy list."
'Mac OS X is under threat' - Sophos
A security expert from Sophos said: "Some Mac users have held the belief that Mac OS X is incapable of harbouring computer viruses, but Leap-A will leave them shell-shocked, as it shows that the malware threat to Mac OS X is real," he said.
Speaking to the Wall Street Journal, Apple stressed that it always advises Mac users to "only accept files from vendors and websites that they know and trust".
"All users should update their virus definitions and never open files received by email or iChat unless they are sure that these files are safe," the company said.