Leap-A virus forwards itself to contacts on the infected user's buddy list
The first virus to target Apple's OS X operating system has been identified in the wild.
Leap-A (also known as Oompa-A) spreads via the iChat instant messaging system, forwarding itself as a file called 'latestpics.tgz' to contacts on the infected user's buddy list.
When the file is opened on a computer it disguises itself with a JPEG graphics icon in an attempt to fool people into thinking it is harmless.
"Some owners of Mac computers have held the belief that Mac OS X is incapable of harbouring computer viruses, but Leap-A will leave them shell-shocked as it shows that the malware threat on Mac OS X is real," said Graham Cluley, senior technology consultant at Sophos.
"Mac users should not think it's OK to lie back and not worry about viruses. "
Cluley said that his company released a signature file for the virus at midday. Other manufacturers will follow suit, as antivirus researchers from rival companies cooperate on new threats.
Mac users on online forums have denied that the online pest is a worm and instead qualify it as a Trojan. It requires the user to manually download and open the file before a system is infected. Users who aren't running on administrator accounts furthermore are prompted to enter an administrator password.
None of those facts however precludes OSX/Leap.A from qualifying as a worm, Sophos countered. The main difference between a Trojan and a worm is the pest's ability to spread itself.
"OSX/Leap-A is programmed to use the iChat instant messaging system to spread itself to other users. As such, it is comparable to an email or instant messaging worm on the Windows platform," the security provider stated. "Worms are a sub category of the group of malware known as viruses."
- This story was updated at 18:33 to add information about the worm vs. Trojan debate. Tom Sanders contributed to this story from California.
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
uh
so any executable file, with a custom icon is now called visus?
i mean it LAUNCHES A TERMINAL IF YOU DOUBLE CLICK, ASKING FOR ADMIN RIGHTS!
jeah must be a jpeg, i think i'll install that.
Posted by chris, 16 Feb 2006
Yawn
Slow news day. Let us know when a real OS X threat occurs.
Posted by Treena Williams, 16 Feb 2006
splitting hairs
I understand that this virus is actually a trojan, but the concept is what is of concern. Many of the worst exploits of windows systems are similar in that they require user input, often as a user with admin privileges. Most users outside of a controlled environment run as admin, and many users ignore warnings that systems or applications display, even on mac computers. And many users seem to click on content that they are not sure about. So if a malicious file is disguised well, the chances that a user will launch the program/trojan/virus is high.
Some baad people don't care what the system is so long as it can run whatever payload they are attempting to distribute, and certainly automated systems that are already infected do not care that the next target system is a sexy, sleek G5.
Believing that mac computers or any ohter systems are not vulnerable to attacks from malicious entities just because the system is 'secure' or not a target is just plain wrong. All machines connected to the internet are at risk and until all users ply the internet with at least a modicum of caution, attacks and vulnerabilities will continue to be propagated. More so on windows systems for now, but don't worry, macs and linux boxes will have their time in the spotlight as well...
Posted by concerned citizen, 16 Feb 2006
It's not a virus
It requires user activation via input of the administrator and is therefore a trojan horse. It is file masquerading as something else and does not exploit any vulnerabilities in Mac OS X. Safari warns the user upon download of the file that it could be harmful.
Posted by hoppo629, 16 Feb 2006
What damage?
In order for it to be qualified as a virus, it has to do damage to your system. This article failed to describe the type of damage it does,so therefore it is hard to believe the claim that is presented here.
Posted by Viviana Wong, 16 Feb 2006
Self-serving FUD
More self-serving FUD from a anti-virus software company. If they can't find a real security exploit, create something that resembles one and call it a "virus" so that they can justify the sale of their anti-virus software.
Posted by WindozeBloze, 16 Feb 2006
NOT A VIRUS! Quit spreading more FUD!
A virus spreads by itself, a trojan house, however, this could be categorized.
Open up a dictionary.
Posted by mv2005, 16 Feb 2006
Just self serving fud...
Please.... This so called "virus" is nothing more than than a Unix shell script where someone has pasted the icon for a jpeg on in the Get info dialog and then sent it to someone else via iChat.
Posted by yea baby..., 16 Feb 2006
virus?
http://en.wikipedia.org/wiki/Computer_worm
http://en.wikipedia.org/wiki/Trojan_Horse_%28Computing%29
Read the facts. Not that wikipedia is all facts but most of it's pretty legit.
Posted by a, 16 Feb 2006
dumb***
You need a dictionary to spell "horse" correctly.
Posted by Airtight Granny, 16 Feb 2006
Can NOT Spread Over the NET
OK, I'm late to the comment party but this still needs to be said: Although this Trojan/Worm/Whatever will automatically ASK the buddies on the infected machine's buddy list if they will accept a file transfer, it will only do so if the user has enable Bonjour and will only do so via the Bonjour buddy list. Know what that means? Means it does NOT spread over the internet, just potentially over a LOCAL NETWORK.
One other point: Symantec's web site shows the magnitude of this "infection" with this:
Number of infected systems: 0-49
How can these little facts fail to make it into this article? How?
Posted by Wingsy, 22 Feb 2006