Subscribe0 0
This is an Instant Messaging (IM) worm which infects computers running MacOS X. It is also capable of infecting MacOSX applications but due to a bug in the virus code, infected programs will no longer run.
The worm was first spotted on the MacRumors (http://forums.macrumors.com/) forums, on the evening on Feb 13th, 2006. The original message read "Alleged screenshots of OS 10.5 Leopard", an obvious attempt to lure unsuspecting users into running the malicious code.
The worm uses Apple's IM application "iChat" to spread. Alternative ways of entering a system include the download and direct execution of the worm code by the user or by running an infected application from a remote location. Because the worm is not able to infect a system automatically, it has also been called a "trojan", although that is not entirely correct. A trojan is not able to replicate, while "Leap.a" is.
The worm spreads in the form of a TAR.GZ archive named "latestpics.tgz". If the user unpacks the archive (either using the command line tool 'tar' or by double-clicking it in Finder), it is presented with what seems to be a JPEG file:
In reality, this is a PowerPC executable, as it can be seen from the Finder "Get Info" dialogue:
The "latestpics" executable is a command line application and because of that, it will open a terminal window when run.
There have been some reports saying that at this point, if run by a normal user, the operating system will ask for administrative rights. In our tests, this didn't happen - the worm execution proceeded in the same way it will do if run from an account with admin rights, however, it will only be able to infect applications to which the current user is allowed to write.
Next, the worm will extract an InputManager plugin from its main body, called "apphook". If the current user is an admin, it will copy this plugin into the "Library/InputManagers" folder. If the current user is not an admin, it will copy it in the user's "~/Library/InputManagers" folder. The difference between these two operations is that the InputManagers plugins from the root "/Library" folder will be loaded in applications run by all users while in the second case, it will only get loaded in the applications run by the current user.
The "apphook" plugin is the worm component which takes care of the IM replication. It attempts to hook certain iChat functions and it will send (same as "Buddies -> Send File") a copy of the main worm body to the user's buddies.
After installing the "apphook" plugin, the main worm code will continue with the infection of local applications. For that it will use the "Spotlight" to search for a list of the most commonly used applications and it will attempt to infect them. Infection is performed in a very simple and straightforward way: by overwriting the main executable with the worm code while saving the original application code in a resource fork.
When an infected application is run, the main worm code will run, which will attempt to propage itself as above. It will also attempt to execute the original application, however, due to a bug in the worm's code, this fails. That means that all infected applications stop working, a very obvious sign of the infection.
Finally, it seems that the author of the worm was planning to add an email replication function, however, it didn't finish it before releasing the code on the MacRumors forum.
Except for the corruption of applications during infection, there is no sign of any other damaging payload in the worm's code.
Hot Articles