Renepo.b / Opener Malware

mathgirl

Registered
I have an iBook G4, a little over a year old.

Approximately two weeks ago, against my better judgment, I clicked on a link sent by a friend of mine on AIM. The link put an icon on my desktop (I forget what it said), and I figured it might be a virus, so I didn't open it. I moved it to trash and emptied it. My friend confirmed that it was a virus sent automatically to everyone on her buddy list.

After about a week, my computer started to get really slow and then when two or more programs were running it would come up with a message saying Hard Disk Full. There was 10 GB free on my hard drive, but I began deleting music files to free up some space anyway. I got it down to about 15 GB of free space before the computer came up with a message saying that the computer must be shut down immediately, and that I should do this by holding in the power button for several seconds.

When I rebooted, it booted in Unix as root. (black screen :/root# ) It will not restart in anything else. I have a bit of experience using Linux, but not much. I have been (CAREFULLY) looking for my files, which still exist on my hard drive.

Using a different computer I have been searching online and found descriptions of what appears to be the problem: a "virus" called Opener or SH.Renepo.B that steals passwords (dsniff sniffs passwords), runs a program called "john" (John the Ripper?), deletes some UNIX commands and modifies preferences. This is my very non-expert guess of what the problem is.

http://securityresponse.symantec.com/avcenter/venc/data/sh.renepo.b.html
http://www.macintouch.com/opener.html

Note: I read somewhere that the attacker attempts to gain root status so that it can do whatever it wants, and that upon rebooting the attacker will have root status. I don't know if this is what's happened, but I do know that it's a very serious problem that I'm running only in Unix under root.

I have attempted the following, probably not in this order:

1. saving my files onto a cd- the computer doesn’t seem to recognize the blank disk. I looked for it in /Volumes, but the only thing there appears to be Macintosh HD. Then it wouldn’t eject the disk, until finally booting up with the trackpad button pressed worked.
2. I tried rebooting with Shift button down, but it comes up to the gray screen with the apple without the little rotating circle indicating progress. It just sits there until I reboot.
3. I tried running Disk Utility from Applications/Utilities by typing diskutil (I found this command at www.ss64.com/osx) but it spits out “Carbon Lazy Values Total size: 11057 bytes!” and hangs there until I hit CTRL-C. Then I tried the command “diskutil repairDisk” and “diskutil repairPermissions” with the same result. In fact, I get this same message no matter what program I try to run (“open Safari.app,” etc.).
4. I ran fsck using several different commands, I can’t remember all of them, but in any case there were two results:
---“fsck” or “fsck –y” result in "fsck_hfs: Volume is journaled. No checking performed."
---“fsck –fy” checks several things, then says “Incorrect size for file temp1149517...disk0s3: I/O error. Keys out of order...Rebuilding Catalog B-tree. Disk0s3: I/O error. The volume Macintosh HD could not be repaired.” Then back to root command prompt.
5. I inserted my iBook Software Install and Restore disk, but the computer does not appear to recognize it. It should be in /Volumes, right? Still only Macintosh HD is there. I restarted with the restore disk inside, but again the black screen with the root prompt. (I type restore and it offers the options -i, -r, -R, -x, -t, but I haven't figured out what these are yet, so I haven't done anything.)

I think that’s about all I’ve done, but I might be forgetting something. Please help me save my files and get back to my beautiful iBook.

p.s. This may be a stupid question, but is there a way to log onto the Internet or something to email my files? Better yet, a way to copy them to a cd; i.e. make it recognize a cd.

Thank you for your time!!
Amanda
 
Opener is some nasty stuff. Not very sneaky, but nasty.

Do you have a spare Mac, or access to one at a friend's place? Preferably not a friend who's liable to have the same malware you got, i.e. not someone who'd be in your first friend's buddy list...

You might try booting into firewire target disk mode (google for "firewire target disk mode"), and copying your files over firewire.

You will unfortunately probably need to completely wipe the disk and reinstall from scratch - reformat the disk, the whole deal. Once the computer is compromised, it's hosed.

Can the computer boot from a CD if you hold down the C key at boot? If not, you might be able to install from a CD in another computer while yours is in target disk mode

Sorry to hear of your bad luck
 
What exactly makes you think you have that special malware? Is "john" running on your system? (See "top", "ps axu" etc.) ... Just because your Mac doesn't want to boot back into graphical mode doesn't you mean you have that exact malware... I at least haven't heard of AIM (iChat?) installing stuff automagically without your intervention. It gets files and puts them in your standard download folder _only_ if you click on the link you get from your friend.
 
Sorry, I misread the original post - I got the impression you had confirmed you had been hit with Opener.

It looks more like your disk just went bad (hardware or file system error, doesn't matter much which). The original suggestion of firewire target disk mode to recover your files is still probably a good bet though.
 
Back
Top