Fandom

Malware Wiki

OSX.iWorm

1,319pages on
this wiki
Add New Page
Comments0 Share


Backdoor.OSX.iWorm.c or iWorm is a Mac OS X backdoor that connects to external hosts.

BehaviourEdit

Upon execution, the backdoor will copy itself to the following directory:

/usr/bin/DivX

It will also create the following folder:

System/Library/StartupItems/DivX/

Furthermore, it will extract the following files from within itself.

/System/Library/StartupItems/DivX/StartupParameters.plist
/System/Library/StartupItems/DivX/DivX

The latter file contains the following string. It will ensure the backdoor is always ran on startup.

#!/bin/sh
/usr/bin/DivX &

The former file contains the following code. This means that in order for the backdoor to take effect, that the network service will have to be active.

{
 Description     = "DivX";
 Provides        = ("DivX");
 Requires        = ("Network");
 OrderPreference = "None";
}


PayloadEdit

The backdoor connects to the following hosts:

69.***.146:59201
qwfoj***ostia.com:1024

This allows the backdoor to recieve infection instructions, including what commands should be executed. This allows the backdoor full access to the infected computer.

socks
system
httpget
httpgeted
rand
sleep
banadd
banclear
p2plock
p2punlock
nodes
leafs
unknowns
p2pport
p2pmode
p2ppeer
p2ppeerport
p2ppeertype
set
get
clear
abortall
p2pihistsize
p2pihist
platform
script
sendlogs
uptime
uid
shell
rshell

As with most backdoors, it creates a botnet with the infected computer.

Further technical informationEdit

MD5 What is this?: Unavailable
SHA1 What is this?: Unavailable

SourcesEdit

Securelist (Kaspersky Labs), Backdoor.OSX.iWorm.c

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.