A new Mac OS X Threat has been discovered masquerading as an innocent PDF document with a controversial topic. It is implementing one of the techniques used by windows malware to hide its malicious activity.

When the Mac malware is executed, it attempts to drop and execute a non-malicious PDF file in the /tmp folder [Figure 1]. The PDF file and the content is intended to distract the user and hide the malicious activity in the background. The dropper is detected as OSX/Revir.A.

[Figure 1 - Non Malicious PDF File]

While the user is convinced that they have opened a harmless PDF document, the malware is already running in the background and attempts to drop and execute a downloader component in /tmp/host. The downloader component is also detected as OSX/Revir.A.

The downloader component will download and execute the file "cdmax" from the URL "tarmu.narod.ru" and will be saved in /tmp/updtdata. The file "cdmax" is detected as OSX/Imuler.A.

Once OSX/Imuler.A is executed, it will attempt to drop a copy of itself as "checkvir" in /user/%user%/library/LaunchAgents/. It then creates "checkvir.plist" in the /user/%user%/library/LaunchAgents/, to ensure that the backdoor is active on the system.

It contacts the remote server "www.teklimakan.org", and it is capable of performing the following commands:

• Capture the screen
• Upload files to Command and Center

How to Remove OSX/Revir.A and OSX/Imuler.A:

1) Kill the running process.

Using spotlight, type-in Activity Monitor and filter by searching "checkvir", select it and click Quit Process.

2) Delete OSX/Revir.A and OSX/Imuler.A files and components.

Go to /tmp/host, delete OSX/Revir.A
Go to /user/%user%/library/LaunchAgents/, delete checkvir and checkvir.plist

Ensure that your Total Defense Products are updated with the latest signatures at all times.