Description
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Indication of Infection
Applications may fail to run correctly, as the hook installed by the worm fails to correctly return control to the hooked process due to incorrectly written code.
Methods of Infection
The worm loads an apphook into the local system library, which will then be injected into the address spaces of processes as they load. This will then hook to the virus code which will attempt to send out copies of the worm.
The file being distributed is called "latestpics.tgz"
, having a filesize of 40.893 bytes decimal. Inside this file are 2 other files embedded:
- "._latestpics
" , filesize 43.694 bytes decimal
- "latestpics
" , filesize 39.596 bytes decimal
The first file ._latestpics is used to create a fake jpeg icon. The file latestpics is the malicious file.
It attempts to masquerade as a jpeg image file to trick the user into executing it:
Leap requires user interaction in order to infect a machine, as the user receiving an instant message containing the worm will have to extract the executable from the archive and then run as admin. When run, it appears immediately that it is not a harmless jpeg file but in fact a malicious binary file. It runs in command/shell mode calling a terminal session for it to execute. The default message "Welcome to Darwin! " can be seen.
It tries to copy itself to the /tmp directory and creates the "apphook.bundle" Input Manager.
Once done, at the bottom of the command/shell mode terminal some more visual info appears:
- ;exit
- logout
- [Process completed]
Aliases
CME-4, OSX/Leap-A (Sophos), OSX/Oomp