Ticket Options
Question Details
TICKET ARCHIVE -> Hacktool.underhand
andha - May 4, 2005 - 2:48 pm
My Mac has been infected by a Trojan Horse called hacktool.underhand.
Norton Anti virus does not seem to be able to repair it.
Anyone can help me getting rid of it?
Thanks
Norton Anti virus does not seem to be able to repair it.
Anyone can help me getting rid of it?
Thanks
bobw - May 4, 2005 - 3:04 pm
Hi Xavier
This seems to be a problem with only Nortons. It's been reported accross the web, but only by people using Nortons.
I would trash Nortons from your system. It's been reported to be causing other problems with OSX also.
There are no viruses, trojans or spyware that can affect Macs.
--------
Bobw - MacOSX.com Tech Support
bobw@macosx.com
This seems to be a problem with only Nortons. It's been reported accross the web, but only by people using Nortons.
I would trash Nortons from your system. It's been reported to be causing other problems with OSX also.
There are no viruses, trojans or spyware that can affect Macs.
--------
Bobw - MacOSX.com Tech Support
bobw@macosx.com
bobw - May 5, 2005 - 2:24 pm
Xavier
More info;
First of all, this is not a "virus". It is a trojan, and can only be installed on your computer by you or someone else
with local/physical/administrative access.
But that is beside the point, because don't have this Trojan on your machine.
This is a FALSE POSITIVE because Symantec's signature for
detecting this tool was too broad! Since the swapfile has
large amounts of dynamically changing data, they're
apparently detecting the same overly-broad binary
snippet they're searching for in your swapfile.
REPEAT: YOU DO NOT HAVE THIS TROJAN IF YOU ARE
GETTING A NOTICE IT'S IN YOUR SWAPFILE.
Underhand is a conventional .app application bundle that
hides itself from the Dock and the normal user-space
running process listings. It can physically be searched for,
and its mode of operation is clear: it will be present in
your Login Items and process listings, and runs from the
user home directory's Library/Preferences folder. Yes,
names can be changed, etc., but it is fundamentally a Mac
OS X application bundle that runs interactively (albeit
invisibly) while a user is logged in. A signature, in the
context of AV detection, or anything else that defines it in
that manner is not present in swap, and that is technically
impossible. Therefore, this is a false positive, and the
detection scheme likely appeared in Symantec's most
recent definition update.
Symantec has CONFIRMED this and has issued new virus
definitions to fix their mistake:
http://service1.symantec.com/SUPPORT...05050417004611
--------
Bobw - MacOSX.com Tech Support
bobw@macosx.com
More info;
First of all, this is not a "virus". It is a trojan, and can only be installed on your computer by you or someone else
with local/physical/administrative access.
But that is beside the point, because don't have this Trojan on your machine.
This is a FALSE POSITIVE because Symantec's signature for
detecting this tool was too broad! Since the swapfile has
large amounts of dynamically changing data, they're
apparently detecting the same overly-broad binary
snippet they're searching for in your swapfile.
REPEAT: YOU DO NOT HAVE THIS TROJAN IF YOU ARE
GETTING A NOTICE IT'S IN YOUR SWAPFILE.
Underhand is a conventional .app application bundle that
hides itself from the Dock and the normal user-space
running process listings. It can physically be searched for,
and its mode of operation is clear: it will be present in
your Login Items and process listings, and runs from the
user home directory's Library/Preferences folder. Yes,
names can be changed, etc., but it is fundamentally a Mac
OS X application bundle that runs interactively (albeit
invisibly) while a user is logged in. A signature, in the
context of AV detection, or anything else that defines it in
that manner is not present in swap, and that is technically
impossible. Therefore, this is a false positive, and the
detection scheme likely appeared in Symantec's most
recent definition update.
Symantec has CONFIRMED this and has issued new virus
definitions to fix their mistake:
http://service1.symantec.com/SUPPORT...05050417004611
--------
Bobw - MacOSX.com Tech Support
bobw@macosx.com
IF THIS IS YOUR QUESTION AND YOU WISH TO RESPOND, LOGIN HERE FIRST.
