OSX/PWS-Corpref

OSX/PWS-Corpref is a password stealing trojan that targets Apple Macintosh OS X (MacOS X) users that masquerade to be a poker game program.

When run, it executes AppleScript to display a message to report a "corruption" in the program and prompts the user for the administrator password to "fix" it. In MacOS X, it is typical for the user to be asked for a password to perform any administrator tasks.

The trojan verifies the password by running the "id" system command to verify it has the administrator user ID. When unsuccessful, it prompts the user to enter the right password:

When successful, OSX/PWS-Corpref can modify system files and configurations with administrator (sudo) permissions. One of the following files can be changed to enable remote login service (SSH) on the infected MacOS X machine:

• /System/Library/LaunchDaemons/ssh.plist (MacOS X 10.4 and 10.5)
• /private/etc/xinetd.d/ssh (MacOS X 10.3)
• /etc/hostconfig (MacOS X 10.2)

It follows that the password hashes are dumped into a file which is sent via e-mail to the malware author along with the user name, password and IP address using the following web server:

• hxxp://psid{blocked}.com/mailer/{blocked}.php

• Unexpected network connections to the mentioned website(s).
• Unexpected enabling of the remote login (SSH) service.
• Presence of the mentioned dialog messages.
• Presence of the PokerGame program with the below characteristics:

This trojan masquerades as a poker game program for Apple MacOS X, to entice users into running it.

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations