Word 2004 malware

[joel]

"Macworld UK has learned of a dangerous malware that deletes the Home folder on a Mac. The file is cunningly disguised as a Word 2004 for Mac demo - from the forthcoming Office 2004 for Mac suite.

A Macworld reader alerted the magazine to the malware after he downloaded the file from Limewire. The reader told Macworld: "I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta. The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy."

However, he added: "I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!""

[gonz]

Originally posted by joel
However, he added: "I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!""

Hello? Anyone naive enough to trust and install a file from a public P2P service without taking precautions pretty much deserves the consequences.

[joel]

Obviously it's someone so used to trying out "borrowed" software.

[gonz]

I don't know why Macworld UK is making such a big deal of this. Or rather, it's pretty obvious that Macworld UK is highlighting the story in reaction to the popular perception that OS X is relatively virus-free. But the fact is that malware disguised as legitimate files available on P2P or other file-sharing systems is nothing new on the Mac. When I was surfing the Hotline and Carracho server scene in 1997-98, I had already encountered malicious AppleScripts and small Mac apps employing social engineering -- being renamed as seemingly innocent files -- to dupe the naive and unsuspecting into downloading them and running them on their Macs. On Kazaa, Gnutella and other Windows-centric P2P networks, bogus files and booby traps are commonplace. To P2P veterans, these are simply part of the inherent risk of doing business on P2P.

[Mxzylplyk]

Hi,

I just have a question, pardon me if it sounds stupid:blush:

How do we define a computer virus or trojan? This recent malware sounds to me as just an application or program that was misnamed intentionally, and which also requires the user to execute it also intentionally.

From what I know this is very different form PC virus and trojans in which I have no idea where it came from, and often times you have no idea it is residing in your PC and using it to spread itself.

Is the recent malware really a virus or trojan?

[dust]

Just to clear things up for you:

* A virus is a program that runs in the memory space of another executable and replicates itself to other instances of that executable; essentially, it's an unwanted plug-in.
* A worm is a program that replicates itself against the user's wishes without requiring another executable as a host.
* A Trojan horse is a program that masquerades as a desired program in order to gain access to the user's system. Trojan horses may or may not replicate themselves.

This is pretty clearly a Trojan horse: it advertised itself to the lUser as a copy of Microsoft Word in order to gain access to his system. The payload of the unwanted software (be it virus, worm, Trojan, or something else) is irrelevant to its classification.

Source: http://apple.slashdot.org/comments.pl?sid=107345&cid=9131997

[Adel]

Gonz is right. Its a little hard to be sympathetic to people afflicted by this kind of Malware, since the method and motivation to acquire the software is questionable from the get-go. If Microsoft was releasing a demo, it would be public knowledge and available from conventional and authorized channels.

And wouldn't it be questionable if the file was available only from a P2P source? And how big would bloatware like MS Office be, even as a demo or beta? I think the relatively small size of the download (912k) would raise red flags right off. You get what you deserve, I guess.

[jotom]

Mac trojan horse dissected at this post at macosxhints.com.

http://www.macosxhints.com/article.php?story=20040512085517829

Lots of nice hints and comments on how best to prevent the trojan from ever touching your mac. If you care to read all the comments.

[ginoledesma]

... on how best to prevent the trojan from ever touching your mac...

1. Download only from trusted sites (official download sites, VersionTracker, MacUpdate, official mirrors)
2. Don't open email attachments as much as possible

Anything you get from Limewire or whatever P2P network is at your own risk. Don't blame Apple or anybody else.

As for this malware, Apple doesn't need to do anything about it. Why should it? :-/

[Edited on 5-13-2004 by ginoledesma]

[Henjie]

912K and some people actually believed that they have the Office 2004 demo? 912K is not even enough for a "Getting Started" guide considering how bloated Office is. :-)


~Henjie