[OS X TeX] OT: effective Macintosh Trojan in the wild

Bruno Voisin bvoisin at mac.com
Wed May 4 12:01:51 CEST 2005 

Le 4 mai 05 à 11:18, Peter Dyballa a écrit :

> The swapfiles can be found in /private/var/vm. They last till the  
> next reboot. They're nothing more than a memory extension -- when  
> you loose the swap files you're not losing anything but re-gaining  
> used disk space. You can delete them by hand when you boot into  
> single user mode with only the text console and invoke 'mount - 
> rw /' (Mac OS X gives you the correct syntax on the boot screen),  
> typing on an English keyboard with French lettering!
>
> The files in /private/tmp are temporal too and are allowed to exist  
> until you switch off or reboot your Mac. Therefore too no loss.
>
> It should be worth rebooting from a Norton AV CD and scanning the  
> PowerBook's whole disk for the source of the trojan.


Le 4 mai 05 à 11:25, Martin Costabel a écrit :

> The "Trojan" is actually the antivirus program itself. Norton AV  
> believes to find a virus signature in a swap file and "sanitizes"  
> the swap file, thereby crashing the system.


Hi Peter, Martin,

Thanks for the help! For sure one can recognize a Unix expert when  
one sees one!

Following my failed attempts this morning we (1) told Norton AV to  
only report infected files, not attempt to sanitize them, and (2) do  
not perform background scans, only scans on demand. This seems to  
have halted the problem, and agrees perfectly with your explanations.

Earlier, looking for swap files, we had found on my colleague's HD  
one /private/var/vm/swapfile0 (and indeed I have one too, 64 MB in  
size, on my Tiger PowerBook), but no swapfile1 which was the file  
reported by Norton AV as infected. Odd!

Why the problem only started on May 2 remains unexplained. Given the  
latest virus definition file on my colleague's setup dates back to  
May 1, I tend to think that the problem is in this file, which would  
define erroneously (or may be not ;-) Norton AV as viral.

Bruno Voisin--------------------- Info ---------------------
Mac-TeX Website: http://www.esm.psu.edu/mac-tex/
           & FAQ: http://latex.yauh.de/faq/
TeX FAQ: http://www.tex.ac.uk/faq
List Post: <mailto:MacOSX-TeX at email.esm.psu.edu>

More information about the macostex-archives mailing list