Skip to content

Threat Encyclopedia
OSX_KROWI.A

Overview

Malware type: Others

Aliases: No Alias Found

In the wild: Yes

Destructive: No

Language: English

Platform: Mac OS X

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 Low

Distribution potential:

 Low

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

OSX_KROWI.A Behavior Diagram

Malware Overview

This malware arrives as a file bundled with pirated versions of Apple's iWork '09 suite which may be downloaded from file sharing Web sites.

It attempts to install itself as iWorkServices. It then modifies the attribute of the installation folder by executing the command chmod 755 to set read and execute access for everyone and also write access for the owner of the file.

This malware creates the property list StartupParameters.plist in the startup item directory. Once connected, P2P commands may be executed on the affected machine.

This malware connects to Web sites to send and receive information.

For additional information about this threat, see:

Description created: Jan. 23, 2009 5:06:26 AM GMT -0800

Technical Details

File type: Java Class

Size of malware: 413,568 Bytes

Initial samples received on: Jan 23, 2009

Details:

This malware arrives as a file bundled with pirated versions of Apple's iWork '09 suite which may be downloaded from file sharing Web sites. The malicious code is stored in iWorkServices.pkg as shown below:

It attempts to install itself as iWorkServices in the /usr/bin and in /System/Library/StartupItems/iWorkServices folders.

It then modifies the attribute of the installation folder by executing the command chmod 755 to set read and execute access for everyone and also write access for the owner of the file.

This malware creates the property list StartupParameters.plist in the startup item directory /System/Library/StartupItems/iWorkServices which contains the following data:

{
Description = "iWorkServices";
Provides = ("iWorkServices");
Requires = ("Network");
OrderPreference = "None";
}

Once connected, the following P2P commands may be executed on the affected machine:

  • banadd
  • banclear
  • clear
  • get
  • httpget
  • httpgeted
  • leafs
  • nodes
  • p2pihist
  • p2pihistsize
  • p2plock
  • p2pmode
  • p2ppeer
  • p2ppeerport
  • p2ppeertype
  • p2pport
  • p2punlock
  • platform
  • rand
  • rshell
  • script
  • sendlogs
  • set
  • shell
  • sleep
  • socks
  • system
  • uid
  • unknowns
  • uptime

Other Details

This malware connects to the following Web sites to send and receive information:

  • {BLOCKED}.92.{BLOCKED}.146:59201
  • {BLOCKED}fojzlk.freehostia.com:1024

Affected Platforms

This malware runs on Mac OS X.

Analysis By: Jasper Manuel

Revision History:

First pattern file version: 5.802.04
First pattern file release date: Jan 28, 2009

Solution

Minimum scan engine version needed: 8.700

Pattern file needed: 5.827.00

Pattern release date: Feb 9, 2009


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

 Step 1: Search and delete this file and folder  [learn how]

  • File: /user/biniWorkServices
  • Folder: /System/Library/StartupItems/iWorkServices

 Step 2: Scan your computer with your Trend Micro product to clean files detected as OSX_KROWI.A

*Note: If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.


Connect with us on