As reported previously by Infosecurity, F-Secure discovered the trojan masquerading as an Adobe PDF file. The security firm says that the trojan tricks users into downloading the file, which then triggers the payload of the malware.
According to Mary Grace Gabriel, a global security advisor with CA Technologies, when the trojan is executed, it attempts to drop and execute a non-malicious PDF file in an Apple Mac OSX /tmp folder.
The PDF file and the content, she says, is intended to distract the user and hide the malicious activity in the background.
“While the user is convinced that they have opened a harmless PDF document, the malware is already running in the background and attempts to drop and execute a downloader component in /tmp/host”, she says in her latest security posting.
“The downloader component will download and execute the file `cdmax' from the URL `tarmu.narod.ru' and will be saved in /tmp/updtdata. The file `cdmax' is detected as OSX/Imuler.A,” she adds.
Gabriel goes on to say that, once OSX/Imuler.A is executed, it will attempt to drop a copy of itself as `checkvir' in /user/%user%/library/LaunchAgents/ and then creates `checkvir.plist' in the /user/%user%/library/LaunchAgents/, to ensure that the backdoor is active on the system.
It then, she asserts, contacts the remote server - www.teklimakan.org -and it is capable of performing a `capture the screen' and `upload files to command and center' series of commands.
CA Technologies has helpfully outline details of how to remove the trojan:
1) Kill the running process.
2) Using spotlight, type-in Activity Monitor and filter by searching "checkvir", select it and click Quit Process.
3) Delete OSX/Revir.A and OSX/Imuler.A files and components.
Go to /tmp/host, delete OSX/Revir.A
Go to /user/%user%/library/LaunchAgents/, delete checkvir and checkvir.plist