OSX/Tored.worm

This malware is a worm with bot capabilities, written in RealBasic. Due to several bugs in the code, this worm may partially work or not work at all. 

It mails itself to email addresses found in the Address Book stored on the machine and it is able to propagate over the network by copying itself to network shares (assuming sufficient permissions exist) and removable disks (though, this does not seem to work correctly).

It also creates a few copies of itself under the following filenames:

• systemupdate
• applesystem

The emails are formed like this:

Subject: " For Mac OS X ! :(If you are not on Mac please transfer this mail to a Mac and sorry for our fault :)"

'From' field: "AppleFu"[2 random letters]"cker@mail.[2 random letters]

Mail body:

One of these strings:

• "Hi "
• "Hey"
• " Hello"
• "y0 "
• "Yo"
• "Selem alaykom"
• "Friend ! :) , "

Followed by one of those:

• " friend "
• " dude"
• " man"
• " you"

The third part is chosen among:

• " wassup ?"
• " how it is going "
• " I missed you ! ^^"
• " what is up there? "
• " what is new ?"
• " how are you"
• " sup?"

The fourth part consists on a random string and the fifth part is also randomly chosen among:

• "Traducting and decrypting message .... : "
• "Traducting and decrypting message .... :Sir , Your Text !"
• "Traducting and decrypting message .... :Error For Sending ,It Is Important to Get Your Data "
• "Traducting and decrypting message .... :Chek It "
• "Traducting and decrypting message .... :Crypted Message Has Been An Attachement , To Chek Your Message , Chek Your Attchement"
• "Traducting and decrypting message .... :Check"
• "Traducting and decrypting message .... :Your Identidie Has Been ....Chek Attchement For More Information"
• "Traducting and decrypting message .... :You Has Been Comprimased , updating tools are as an attachement !"
• "Traducting and decrypting message .... :Credi Money Has Been Sent As A Binary File for thanks for the updating, Chek"
• "Traducting and decrypting message .... :New update tools "
• "Traducting and decrypting message .... :Chek your update application !"
• " Traducting and decrypting message .... :Your information was ..."

Some other emails may be sent too when the 'spamming' mode is turned on. Those are formed like this:

• "Hi , Chek"
• "Sir , Your Text !"
• "Error For Sending ,It Is Important to Get Your Data "
• "Chek It "
• "Crypted Message Has Been An Attachement , To Chek Your Message , Chek Your Attchement"
• "Check"
• "Your Identidie Has Been ....Chek Attchement For More Information"
• "You Has Been Comprimased , Chek !"
• "Credi Money Has Been Sent As A Binary File , Chek"
• "New porn tools "
• "Chek your XXX application !"
• " Your information was ..."

The mail body is empty and the 'from' field is spoofed using one of these email addresses:

• Existence of the files mentioned above

This worm does not use any exploit code in order to execute the mail attachment automatically. A user has to doubleclick on an infected attachment or a file shared via P2P to infect the machine

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.