Sophos announced it has discovered the very first virus that targets the Apple Mac OS X platform. The virus is codenamed OSX/Leap-A and spreads via
Chat instant messaging system clients.
The worm attempts to spread via the iChat instant messaging system, sending itself to available contacts on the infected users' buddy list in a file called latestpics.tgz. This file is an archive consisting of: latestpics: the worm executable
._latestpics: a hidden resource file designed to disguise the executable as a JPEG image
OSX/Leap-A installs itself as an application hook by deleting the "apphook" subdirectory of either the /Library/InputManagers/ directory (if run with root permissions) or the ~/Library/InputManagers/ directory (if run as a non-root user) and replacing it with the following three files:
OSX/Leap-A attempts to infect recently used applications by overwriting the original application with a copy of the worm, storing the original application in the file's resource fork. Infected application files have the following extended attribute:
OSX/Leap-A also creates the following temporary files:
and several files under