First real trojan appeared on OS X

**Damrod** · April 25th, 2005, 07:27 AM

http://www.sophos.com/virusinfo/anal...ccowhanda.html

Accordin to Sophos, there is the first real MacTrojan under OS X. They do not say anything about where and how it spreads though...

Thoughts or expiriences?

**MisterMe** · April 25th, 2005, 07:44 AM

Originally Posted by Damrod

http://www.sophos.com/virusinfo/anal...ccowhanda.html

Accordin to Sophos, there is the first real MacTrojan under OS X. They do not say anything about where and how it spreads though...

Thoughts or expiriences?

This is included in the the side effects of the Mac/Cowhand-A "Trojan":

• Installs itself in the Registry

Registry? That ain't no Registry in MacOS X!

**Viro** · April 25th, 2005, 08:05 AM

If it is a trojan, it will require the user to run it. It's annoying that they don't indicate what programs contain this trojan...

**mrfluffy** · April 25th, 2005, 08:06 AM

A firm that sells AV software 'discovering' a trojan, what are the odds?

**Darkshadow** · April 25th, 2005, 08:10 AM

Nope, definitely ain't one.

If you go to the Advanced portion, it says this:

Mac/Cowhand-A is a proxy Trojan for the Mac OSX platform.

The Trojan may copy itself to the user's Preferences folder. In order to run itself on startup, the Trojan may add itself to the user's Startup Items.

...which is at least more in line with OS X.

If you hit the link that is listed as "Trojan" you get sent to a page with the listed trojans, then (I presume) a link to the right of what type of trojan it is. If I'm right, then this is the type of trojan this is supposed to be:

Troj/IRCFlood-E is used to flood an IP address with network packets. The Trojan can be controlled remotely over IRC

Without more info, I can't say whether or not this is true. Guess we'll have to wait and see if anyone else carries the story.

**fryke** · April 25th, 2005, 08:20 AM

The 'Registry' reference is probably a standard text, not customised by the person who enters the thing in the database. So that isn't anything we should blame on them right now. (They probably haven't got the right text blurbs for Mac OS X in their database.) What we should _worry_ about is, right now, the bad press this might give Apple.

**ora** · April 25th, 2005, 08:24 AM

Listed here at http://secunia.com/virus_information.../maccowhand-a/ , but its just a reprint of the sophos data (links point back to them). This is unhelpful, as it could make the info be spread without anyone else checking up on its validity.

Oh and on security firms 'finding' virii etc, I'm still boycotting Intego after their last announcement of that dubious mac malware.

**Andrew Adamson** · April 25th, 2005, 09:06 AM

As for "first", apparently not:
http://securityresponse.symantec.com...04.trojan.html

I agree that we will have to wait until someone releases some worthwhile information about this trojan -- in particular, how it is spread. At the moment, I am about as frightened of this threat as I am of accidentally installing Windows.