This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
|
Minimum Engine
5600.1067 File Length46007 |
Description Added
2004-10-27 Description Modified2004-10-28 |
-- Update October 27th 2004 --
The risk assessment of this threat has been deemed Low-Profiled due to the following media attention:
http://www.arnnet.com.au/index.php/id;1771656169;fp;2;fpid;1
The worm is referred to as Renepo within the article.
--
Detection was added to cover for a malicious file originally called "opener.sh ", having a filesize of 46007 bytes.
The file is a Unix type shell script. In this case the script is specifically targeted against Macintosh systems running the OS X operating system. The latest OS X operating system has Unix type Shell Scripting support. Previous Macintosh versions, such as v9, have a different internal file/script structure and are not initially vulnerable to this worm.
The opener.sh shell script consists of many subroutines, each having malicious intent, but the main purpose is to disable the system firewall, collect user information and try to spread via shares.
This threat does not make use of an exploit, so to have the script run successfully on a system and make changes, the user account from which the script is run must have sufficient rights. If no superuser/root/admin access is available many of the subroutines will fail and generate errors.
When executed, the script tries to move itself to the /System/Library/StartupItems directory.
The various subroutines try to carry out the following tasks:
Infection starts with the execution of the opener.sh file via manual execution, pretending to be something else, or automatically by sharehopping. Properly configured OS X systems, with no filesharing enabled and not running root/superuser/admin rights should not be vulnerable.
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.