Mac Virus? trojan.byteverify infects installerapplet.class?

adambyte

adambyte

Registered
A friend who has a TiBook with Mac OS X 10.2 was complaining about a virus and its effects.... Is this a virus, a coincidence, or something in between?

10:58:35AM She: so that whole "macs don't get viruses" deal
10:58:36AM She: a lie
10:59:05AM adambyte: lol. Really? You're the first Mac OS X user to get a virus, ever. Congrats.
10:59:13AM She: lol. i doubt that's true
10:59:14AM adambyte: How do you know you have a virus?
10:59:27AM She: because two of my programs weren't opening
10:59:31AM She: so i ran a virus scan
10:59:33AM She: and it found two
10:59:44AM adambyte: !?
10:59:48AM adambyte: What are they called
10:59:50AM adambyte: ?
11:00:10AM She: i don't remember. i just let it repair the files and was done with it
11:00:17AM adambyte: lol.
11:00:34AM adambyte: So now it will forever torture me as a mystery.
11:00:45AM adambyte: Did you try restarting, first of all
11:00:46AM She: lol
11:00:48AM adambyte: ?
11:00:49AM She: yup
11:00:58AM adambyte: What apps were they?
11:01:11AM She: aol instant messenger and safari
11:01:17AM She: actually, explorer, too, come to think of it
11:01:21AM She: i only tried that one once
11:01:34AM adambyte: And they wouldn't open
11:01:36AM adambyte: ?
11:02:08AM She: they would start to, and then say that a problem occurred and they unexpectedly quit
11:02:34AM adambyte: huh. k.
11:03:31AM adambyte: You get the first virus for Mac OS X, and you can't even tell us what it was. :p
11:03:47AM She: i'm sure other people have gotten viruses, adam
11:04:41AM adambyte: lol. Nope. If someone had, it would have been a big story in the mac community.
11:05:09AM adambyte: There are two known Trojan Horses, but no viruses.
11:05:22AM She: adam, if no viruses for macs existed, there would be no virus scanners for macs
11:05:27AM She: trojan horses?
11:06:19AM adambyte: Actually, do you know what your Virus scanner does? It scans for PC viruses in Word documents and stuff. So, basically, you won't SPREAD PC virii. But there are no known virii that do bad things to Macs.
11:06:44AM She: well it was doing bad things to me
11:06:51AM She: what's a trojan horse in this sense?
...

Blah blah blah, I explain the malicious MP3 files and the Dashboard self-installing thing....


11:12:52AM She: i don't think you're understanding. the applications wouldn't work
11:12:56AM She: i restarted several times, still nothing
11:13:05AM She: started running the virus scanner
11:13:15AM She: while the virus scanner was going at first, the applications still wouldn't open
11:13:36AM She: the virus scanner found and took care of the viruses, and immediately after, the programs started working again


11:15:40AM She: well get norton anti-virus and you'll be fine
11:16:04AM adambyte: Oh, is that what you're using? Norton Anti-Virus? i thought you had Virex?
11:16:21AM She: i got norton at the beginning of the school year
11:16:27AM adambyte: Ah.
11:16:45AM adambyte: Well, open it, and look for some sort of log, please.
11:18:56AM She: it's some sort of a trojan thing .... trojan.byteverify
11:19:25AM adambyte: Any more info?
11:19:42AM adambyte: What file it affected? It's location? ANything?
11:20:13AM She: "the file installerapplet.class contained in this archive is infected with trojan.byteverify
11:20:22AM She: it was in javainstaller.jar
11:21:34AM adambyte: Anything else?
11:22:05AM She: some photo libraries were damaged, but that might not be related
11:22:24AM adambyte: That's it?
11:22:33AM she: i think so
11:22:51AM adambyte: Interesante.
11:23:12AM adambyte: I will consult with my fellow geeks.

Well?
 
http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Systems Not Affected: Linux, Macintosh, OS/2, UNIX
Click to expand...
Straight from her virus scanner's own company's mouth.
Notification of infection does not always indicate that a machine has been infected; it only indicates that a program included the viral class file. This does not mean that it used the malicious functionality.
Click to expand...
Just because the scanner found it doesn't mean that it was actually doing any harm, or even executed. In addition, it only affects Windows machines.

Your conversation with her, especially the part about only having virus scanners to protect ourselves from spreading Windows-only virii, is absitively, posolutely, 100% accurate on your part.

There are no Macintosh OS X-specific viruses. Back in the day of OS 7/8/9, there were a handful of virii, but those would not be able to execute under OS X (nor in the Classic environment, since they require direct access to hardware to do any damage, and Classic does not have direct access to hardware), and to be honest, I haven't heard of any of those old-ass virii making a comeback (or even infecting any machines since those days) to this day.
 
Okay. That's what I thought. But the applications being able to launch AFTER the Virus fix.... complete coincidence, I guess? You could see why a non-nerd would think that the virus did it.... Restart, apps don't launch, restart, apps don't luach, Anti-virus, apps launch.... I'm interested as to why the apps acted that way, and whatch changed their behavior.
 
I'd say coincidence, or something in those applications stumbling over that particular piece of code in Java (since Safari uses Java, as well as Explorer... don't know about AIM, but it's possible). Not that they were suffering the maliciousness of the virus, per say, but maybe like "walking down the Java road and seeing the virus there on the side and stopping for a moment to inspect it" or something... I really have no clue.

I would chalk it more up to coincidence than anything else, but maybe a distantly-related coincidence. Her Macintosh most definitely did not "get" this particular virus, as it wouldn't even work...
 
Aha. All those apps might use Java... I didn't even notice that.

So... if a virus still just makes a Mac stumble... it's still a pain in the butt.

If it still does a certain amount of damage, but not in the way it was intended, is it still an "infection?"
 
It was probably a java jar file that was specifically corrupted to take advantage of a flaw in Windows to execute code. I guess those apps don't like the corrupted files but it doesnt affect the Mac in any bad way except making the programs crash.
 
There mustr be some Mac-specific code in there if it spread from one program to another, right? Well, I guess it could have been done in Java, but anyway, there must have been code that ran on the Mac, even if the malicious part of virus was Windows-only.

If it can spread from program to program, it's a virus. If it can do that on a Mac, then it's a Mac Virus™, regardless of what it can and can't do after that point. Damn. Guess we got one.
 
It didn't "spread" from one program to another at all. The virus was located in one specific file, and if two or more programs reference that same file, it may cause adverse effects with each program. It doesn't mean that the "virus" propagated itself from program-to-program, nor does it mean that the virus contained Mac-specific code at all (which it doesn't -- read the Symantec link).

Since Java is platform-independent, it goes without saying that a virus written specifically for Windows may still affect Mac OS X in some adverse way, but the way it affects it will not be the "payload" of the virus. A Windows virus that makes it's way onto a Macintosh system will NOT be able to cause damage to the Macintosh system whatsoever, but programs that aren't expecting to encounter a virus-infected Java file may "stumble" a bit. It still doesn't mean that the virus executed, propagated or was activated in any way at all.

This particular virus is Windows-specific, and cannot harm a Mac OS X system at all.

I still don't think her application launching problems were due to the virus, but you never know. Still, applications that referrence bits and pieces of the Java Virtual Machine may falter a little bit if the code is unexpected. That is most definitely not an "infection," since no damage was caused, and the intent of the virus was never carried out. This virus wasn't written to make applications not launch, and therefore cannot be considered an "infection." It was written to provide unrestricted access to a computer -- which it is incapable of doing on a Macintosh system.

We do not have our first Mac OS X virus, by any means.
 
Mikuro, as Captain Code says, a problem with a Java .jar file might affect every program that uses that file. So it is not surprising that multiple programs, per se, would be affected.

One thing that really bothers me about this one is that Safari was one of the affected programs. I was under the strong impression that Safari was not written in Java (for starters, Safari is quite fast). It uses Java when displaying a web-delivered app, but as far as I can tell, it isn't written in Java and it doesn't fire up the Java virtual machine until it is required to by its first app. 'Byteverify' takes advantage of a (now patched) flaw in how Microsoft chose to implement Java in Windows. I am guessing here that Mac's Java VM was choking on MS-Java specific code in the trojan's class file. Norton sniffed the class file and removed it from the jar (which is simply a compressed archive of compiled java code), fixing the problem. I strongly doubt it was 'corrupted' data in the jar file, since you can't really fix something that's corrupted. Aside from the Safari issue, none of this worries me.

But here's what really bothers me: She starts having problems; she suspects a virus; she runs Norton, which finds and removes a WINDOWS trojan; things go back to normal. If She didn't have Norton, she would probably be reinstalling software right now and it probably wouldn't be doing a bit of good. Here, a trojan appears to have been doing 'denial of service' duty on a Mac. Not a good sign.

Adambyte, if you can, please investigate a little more. I'd like to find out how She thinks she got this trojan.

Edit: Sorry, ElDiabloConCaca. I wrote this before you posted your last message. It's a bit redundant now. And repetative. Nevertheless, I would like to see more about this.
 
Safari is written in Objective C++ but it must scan the java cache on startup of the program. Java jar files used on websites are cached on the computer like other html files and images etc.

I'm not sure why AIM would be affected but it must tie into OS X's java or something.

What to do with the file.. Delete it and be done with it. The jar could have been corrupted because sometimes some of the viruses/trojans work by exploiting the way a file is read if it's not in the correct format. Like when you could execute code with a bitmap on windows because of a certain format of the file.

If that's what this thing uses then maybe the JVM in OS X choked on the file while scanning it.
 
Okay, I see now that I was mistaken. The virus didn't spread; there was just one copy. Still, how did it get installed in such a way that these apps would try to use it?

Whether the original intent of the virus was carried out or not, it still effects OS X. Perhaps OS X is "resistant" to this virus, but apparently it's not immune.
 
Well, next time I get a chance, I will ask her about the sites she's been surfing, lately, and if she's downloaded anything funky lately.

This is really bad. A windows virus that still affects a Mac? Not good. Should we tell Apple, or what?

Bear in mind, she's still running 10.2, and probably doesn't have all the security updates installed... so maybe this was fixed already....
 
First, a little bit on morphology. A virus is a bit of code that modifies other programs by copying itself into them -- exactly in the same way that a biological virus inserts itself into healthy cells to infect a host. For this to be a virus, AIM and Safari and IE would have to have been altered, which they weren't, at least according to the account. This DID alter the behaviour of multiple applications, but it did so because it affected the data files used by a different application, Java. Here, the ananolgy would probably be food poisoning. It's not quite a trojan, though, because (and here I am completely assuming) the user didn't install any software knowingly to become infected (some will argue it IS one, because she probably went to a web site expecting to get one thing, but came away with something different). What probably happened was that a Java app deliberately injected the compiled Windows-Java code into her library. Then, any time she started an application that called on Java, the Java engine choked on the inserted code. In a Windows environment, this code would have done nefarious no-goodness. On her machine, it coughed up hairballs. So, virus? No. Trojan? Er, I say no, others probably say yes. Code injector? Yes.

On your point of OS X not being immune, I agree. I would say that this is a clear example of a denial of service attack, albeit probably completely accidental. It would be really nice to know what version of Java she has running. If she is not patched....

http://secunia.com/advisories/14346/
 
The plot thickens!....

9:53:41PM adambyte: MacOSX.com - The Answer to Mac Support - Mac Virus? trojan.byteverify infects installerapplet.class?
9:55:30PM adambyte: You're our new favorite science experiment.
9:57:52PM She: you people are such nerds

10:00:49PM She: i feel so special
10:00:58PM She: what's weird is that ichat still worked fine
10:01:38PM adambyte: lol. Open this... Applications/Utilities/Java
10:01:43PM adambyte: What do you see in that folder?
10:03:51PM She: applet launcher, input method hotkey, java 1.3.1 plugin settings, java 1.4.1 plugin settings, java web start
10:04:27PM adambyte: Could you click ONCE on "Java Web Start" and then choose "Get Info" from the "File menu?
10:04:50PM adambyte: Tell me what it says under "Version:"
10:04:59PM She: 1.2
10:06:52PM adambyte: Hrm.

10:09:07PM adambyte: One more thing.... Go to "About This mac..." What version of the OS is it?
10:10:00PM She: uuuuum, 10.2.8
10:10:34PM adambyte: Okay. Now click the "10.2.8" and tell me the "Build" number...
10:11:03PM She: 6R73
10:11:13PM She: this is getting ridiculous
10:11:17PM She: you guys are geeks

10:19:00PM adambyte: Okay, so... did the not-working coincide with any weird web surfing, (something with Java), such as a complex web site with a built-in chat room, or something else complex like that?
10:19:13PM She: um ... no....
10:19:25PM She: i use yahoo, webmail, livejournal, facebook ...
10:19:37PM She: jeni had me watch some videos online, but they were really basic and easy to view
10:19:48PM adambyte: What site were they on?
10:20:05PM She: valnac.com

10:23:19PM She: the computer has crashed at least twice in the past week
10:23:25PM She: only not in a way that it usually would
10:23:33PM adambyte: Whatcha mean?
10:23:43PM She: the screen dims, and a screen comes up telling me i need to turn the computer off or something
10:23:50PM She: it'd never happened like that before, but twice this week
10:24:08PM adambyte: Ah. That's a Kernel panic.

10:25:32PM adambyte: Often, Kernel panics are indicative of hardware problems... were you plugging or unplugging the camera, or anything?
10:25:44PM She: uuum. i have been on and off, yeah
10:26:09PM adambyte: Did those happen when you specifically plugged in, or unplugged it, though?
10:26:14PM adambyte: Like... plug in... BAM
10:26:16PM adambyte: ?
10:27:01PM She: nope

Wait for it... wait for it..... Here it is...

11:05:48PM She: btw, i thought of something
11:05:53PM adambyte: what?
11:06:05PM She: lizza sent me a message a few weeks ago that send something like "check this out"
11:06:17PM She: when i clicked it, it opened up a blank webpage, and then there was an icon on my screen
11:06:25PM She: so i double clicked it and nothing happened
11:06:29PM She: she signed off right after
11:06:41PM She: i called her and she told me that she had a virus that made her aim send out that message
11:06:49PM She: so i deleted the file
11:07:07PM adambyte: Well, freakin' A.
11:07:09PM She: and a few minutes later i received an identical message from rachel (who lizza had infected), but obviously didn't open it
11:08:14PM adambyte: Thank you. At least now we know where it came from.
11:08:29PM She: well, that was awhile ago.
11:08:32PM She: i dunno if that's it
11:08:37PM adambyte: So, the Mac stumbled over it, but didn't help spread it.
11:08:42PM adambyte: Probably.
11:09:03PM She: *hugs norton antivirus*
 
Well, that possibly may not be the source of this particular infection, but it sure is a juicy culprit. If she does regular Norton scans and did a scan between this event and her latest woes, it might be something else altogether.

If you don't mind, anytime someone posts 'there is no such thing as a trojan for OS X', I'd like to link to your message. Social engineering remains the single most powerful, platform-independent tool in the cracker's toolbox and it should neither surprise us nor disappoint us when it works against average users.

In the Linux world, we'd be telling her to wipe her drive and reinstall. I hope things turn out all right for her.
 
Sure. Link away. Heh. I especially like this thread because it's playing out like some sort of twisted Techno-mystery. lol.

Well, hey, Norton Anti-Virus scanned it, found it, and fixed it, and now her computer works fine. So all is well.

EDIT: If you had told me that something like this could happen, I just wouldn't believe you. It's seriously weird how the virus affected her Mac.
 
I would agree that this seems like a denial of service attack even if the original raison d'etre of the trojan was to do something stinky to Windows systems.

It has been an interesting thread and good on you adambyte for sharing it with us fellow nerds (she's right you know).

I suspect the lesson to learn here is that Macs are not infallable. Who would have thought though that an antivirus programme really was necessary on a Mac?
 
I'm still gonna be the pessimist (or optimist, however you look at it) and say that her programs crashing were still coincidence and unrelated to the Java file.

I'm just a doubter when it comes to virii on Mac OS X -- especially if the OS X in question is more than a few years old (10.2.8, like she's using). Until one of us "geeks" can get our hands on this "virus" and test it on one of our systems and see exactly which applications crash, it's just tough to say "YES! That file was most definitely the reason behind the crashing, and Norton fixed it by cleaning the file, allowing the applications to function normally again."

I mean, she doesn't know what version of Mac OS X she's running... she just had some weirdness with her system, ran an anti-virus program which found a Windows-specific virus, and then the weirdness supposedly stopped. She may have even tried other measures besides Norton's before/after the virus scan. It was not done in a "scientific" manner at all, and we're also going off of information that has been "filtered" through two people already (no offence to adambyte -- I'm sure that you're quoting verbatim, but she doesn't sound "geeky" and, by the first conversation, doesn't remember exactly what she did to find or get rid of the virus other than running Norton AntiVirus -- the same program that recently gave false positives on the "hacktool.underhand" virus).

For all we know, it could have been Norton's itself causing the application instability, as it is VERY well known to do!

Eh, sorry to be a party pooper, but I'm just not buying it. Yes -- perhaps that virus somehow made it's way onto her system, but I just don't believe that the virus itself was causing the system instability. There are WAY too many other factors here -- does she repair permissions? Repair her disk? Update her software? Use "sketchy" software? Not know much about Mac OS X?

Purely coincidence in my mind until we get some better proof. My girlfriend the other day kept insisting she had a virus that was causing Internet Explorer to crash under WinXP SP2. Whenever she would close the last Explorer window, a very realistic-looking pop-under advertisement was left with a message that said, "You have been infected with XXXXXXXXX and has caused Explorer to crash. Please click "OK" to clean your system" or something like that. It was a decently-crafted pop-under window -- nothing more, nothing less. Explorer wasn't crashing.

I'm not saying we shouldn't be on the lookout, but it seems that the very first conclusion that a lot of people jump to when their systems aren't working correctly is "VIRUS!" I've known a lot of people that tell me, "My system wouldn't connect to the internet, and I ran a virus scan, and it found something, so now I can get on the internet again!" when in actuality it wasn't a virus at all preventing the internet access... it's just the common conclusion, in this day of virii paranoia, that people jump to when systems go haywire.
 
ElDiabloConCaca,

I suspect you are right. This case study raises some interesting questions and we musn't jump to the wrong conclusions. However, I still think there is an element of doubt here about the robustness of Mac OS systems, which is worth making us vigilant.
 
You must log in or register to reply here.
Back
Top