News > Press Releases

Macintosh

Dual Protection (Mac + Windows)

Macintosh Enterprise

Free Trial

ContentBarrier FileGuard Internet Security Barrier NetBarrier Personal Antispam Personal Backup VirusBarrier

ContentBarrier DP Internet Security Barrier DP VirusBarrier DP

Remote Management Console VirusBarrier Server and VirusBarrier Mail Gateway

Buy Now Upgrade Update Renew Free Trial

Support Knowledge Base Software Registration User Manuals Software Updates Bug Report

Press Releases Latest Software Releases

Overview Press Releases Careers Contact Us

Austin, TX, February 16, 2006

INTEGO SECURITY ALERT

QUESTIONS AND ANSWERS ABOUT THE OOMPA-LOOMPA TROJAN HORSE
ALSO CALLED OSX/OOMP-A OR LEAP.A

Where did Intego first find out about this Trojan horse?

Intego received a copy of this Trojan horse on February 14, 2006, after an Intego user discovered it on a Macintosh forum. The user expected the file to contain pre-release pictures of a new operating system, but instead it infected his system. The user discovered this later when his iChat buddies asked why he was sending them files.

How can one be protected from this Trojan horse?

Intego VirusBarrier X and VirusBarrier X4 eradicate the Oompa-Loompa Trojan horse, using its virus definitions dated February 14, 2006, and Intego remains diligent to ensure that VirusBarrier X and VirusBarrier X4 will also eradicate any future Trojan horses that try to exploit this same technique

Is there more than one version of this Trojan horse?

The Intego Virus Monitoring Center has isolated two versions of this Trojan horse so far, and is monitoring suspicious activity to ensure that there are no others.

What does this file look like?

Initially appearing in a compressed file called latestpics.tgz, this Trojan horse, after being decompressed, appears to be a graphic file. However, if other hackers alter the current version of this Trojan horse, the file may have a different name.

How does this Trojan horse become active?

A user must either download the file from a web site, receive it as an e-mail attachment, or receive it via iChat. In the latter case, users are more likely to trust the source, even though the “sender” is not aware that the file has been sent. The user must double-click the file to decompress it, then double-click the resulting Trojan horse, which is disguised, via a custom icon, to resemble a graphic file.

Does this Trojan horse indicate its presence by asking for an administrator’s password?

No. This Trojan horse installs a file in a user’s Library/InputManagers folder if the user is not logged in as root. If the user is root, it installs itself in the system folder of the same type, /Library/InputManagers.

How does this Trojan horse infect a Mac OS X system?

When a user double-clicks the uncompressed graphic file, expecting to see a picture, the executable code in that file runs. The Trojan horse then inserts a file called apphook.bundle in the user’s InputManagers folder (in the user’s Library folder) which ensures that it is replicated in all other Cocoa applications the user launches. Using Spotlight, the Trojan horse searches for the four most recently used applications, then infects them. The apphook.bundle Input Manager attempts to send a copy of the original file, latestpics.tgz, to every person on a user’s iChat buddy list. Since users see this file coming from friends and colleagues, they are inclined to assume that it is safe, and therefore to double-click the file a first time to decompress it, and a second time to attempt to “view” it.

Is this a Trojan horse, a virus, or a worm?

It is a combination of all three of these types of malware. First, it is a Trojan horse: an executable hidden inside a file disguised as a graphic file. Then it is a virus, as it replicates in other applications on a user’s computer. Finally, it is a worm, when it sends itself, via iChat, to other users.

Has Intego informed Apple about this Trojan horse?

Yes, we informed Apple as soon as we examined this Trojan horse and discovered its dangers. We have been in close contact with Apple to ensure that this Trojan horse is controlled as quickly as possible.

Does this Trojan horse delete any files?

No, it currently only infects applications and then sends itself to other users via iChat. However, it may be possible for other hackers to change this Trojan horse to delete files.

Does this Trojan horse affect any Mac OS X system files?

No, it only affects applications, at least in its current version.

Does this Trojan horse affect Mac OS 9 or earlier versions of Mac OS X?

No, it only affects Mac OS X 10.4 (Tiger).

Does this Trojan horse affect new Macintosh computers running Intel processors?

No, it only affects Macs running PowerPC processors.

How can you identify this Trojan horse?

This Trojan horse currently circulates under the name latestpics.tgz, but it is entirely possible that other versions will be created using different file names.

For further information about the Oompa-Loompa Trojan horse, see the related press release: http://www.intego.com/news/pressroom.asp

About Intego
Intego develops and sells desktop and server security and privacy software for Macintosh.

Intego provides the widest range of software to protect users and their Macs from the dangers of the Internet. Intego's multilingual software repeatedly receives awards from Mac magazines, and protects more than one million users in over 60 countries. Intego has headquarters in the USA, France and Japan.

# # # #

home | contact

QUESTIONS AND ANSWERS ABOUT THE OOMPA-LOOMPA TROJAN HORSE ALSO CALLED OSX/OOMP-A OR LEAP.A

QUESTIONS AND ANSWERS ABOUT THE OOMPA-LOOMPA TROJAN HORSE
ALSO CALLED OSX/OOMP-A OR LEAP.A