http://news.yahoo.com/s/macworld/20060216/tc_macworld/oompa20060216
Peter Cohen - MacCentral Thu Feb 16, 5:04 PM ET
Reports indicate that someone has let loose a âTrojan horseâ or worm for Mac
OS X users. The program is hidden within a package that purportedly contains screenshots of Appleâs as-yet unannounced next major revision to Mac OS X. Whether itâs a Trojan horse or worm seems to vary depending on the source of the information. The code has also elicited a response from Apple, and a warning to its customers.
ADVERTISEMENT
The package, called âlatestpics.tgz,â first surfaced recently on a Mac rumors Web site. Independently verified by Ambrosia Software president Andrew Welch, heâs dubbed it the âOompa-Loompa Trojan,â because the files in question check for the presence of an attribute called âoompaâ â an apparent reference to the movie and book âCharlie and the Chocolate Factory.â
Welch provides extensive details on the Ambrosia Software discussion forums.
When unpacked, the archive includes an application that resembles a JPEG file. When itâs clicked on, the file executes and attempts to propagate itself via the buddy list of Appleâs instant messaging software iChat.
Welch is careful to point out that this should probably be considered a Trojan horse, rather than a virus, âbecause it doesnât self-propagate externally.â
So-called Trojan horses are differentiated from viruses because they masquerade as a regular application or file and do not replicate themselves arbitrarily.
Anti-virus software maker Sophos takes issue with this description, claiming this is the âfirst ever virus for Mac OS X.â
âOSX/Leap-A is programmed to use the iChat instant messaging system to spread itself to other users. As such, it is comparable to an email or instant messaging worm on the Windows platform. Worms are a sub category of the group of malware known as viruses,â said Sophos in a statement.
Symantec similarly classifies it as a worm, and classifies its threat containment and removal as âeasy.â McAfee, makers of Virex, also call the code, which they refer to as âOSX/Leap,â as a worm.
Intego, makers of VirusBarrier, also confirmed the trojan horseâs existence. Because the code is distributed by iChat, Intego said, people are more likely to presume the file is legitimate. Intego advised users to update their virus definition files and ânever open files received by e-mail or iChat unless they are sure that these files are safe.â
Sophos, Symantec, McAfee and Intego have all added the codeâs description to their Mac anti-virus software files, which can be downloaded from each publisherâs respective Web site.
OSX/Leap-A, Oompa-Loompa, or whatever else you want to call it, also requires an admin password if youâre not running as an admin, said Ambrosiaâs Welch.
Additionally, Ambrosiaâs Welch said the software has a bug in its code that prevents it from working and prevents infected applications from launching. Still, he strongly advises users that find the âlatestpics.tgzâ file to avoid downloading or running it.
Apple also commented on the release of the code in a statement provided to Macworld.
âLeap-A is not a virus, it is malicious software that requires a user to download the application and execute the resulting file,â said Apple. âApple always advises
Macintosh users to only accept files from vendors and Web sites that they know and trust. We have a guide to safely handling files received from the Internet at
http://docs.info.apple.com/article.html?artnum=108009.â
Updated Feb. 16 2006 5:00 PM: Added comments from Apple.
