Intego Protects Against New Mac OS X Trojan Horse

By | February 16, 2006

Intego, the Macintosh security specialist provides protection, through its VirusBarrier antivirus program, against the newly discovered Oompa-Loompa Trojan horse, also called OSX/Oomp-A or Leap.A. This security threat affects Macintosh computers running Mac OS X on PowerPC processors. Replicating by sending itself to users’ iChat buddies, the Oompa-Loompa Trojan horse does not delete any files, but infects applications on computers where it runs, enabling those applications to in turn spread the virus.

Two versions of this Trojan horse exist, and the Intego Virus Monitoring Center immediately developed updated virus definitions, which it released on February 14, 2006, as soon as it discovered this threat, ensuring that VirusBarrier X and VirusBarrier X4 eradicate the Oompa-Loompa Trojan horse. All Intego VirusBarrier X and VirusBarrier X4 users should make sure that their virus definitions are up to date by using the NetUpdate preference pane in the Mac OS X System Preferences.

Initially appearing in a compressed file called latestpics.tgz, this Trojan horse, after being decompressed, appears to be a graphic file. When a user double-clicks it, expecting to see a picture, the program inserts a file called apphook.bundle in the user’s InputManagers folder which then ensures that it is replicated in all other Cocoa applications the user launches. Using Spotlight, the Trojan horse searches for the four most recently used applications, then infects them. The apphook.bundle Input Manager attempts to send a copy of the original file, latestpics.tgz, to every person on a user’s iChat buddy list. Since users see this file coming from friends and colleagues, they are inclined to assume that it is safe, and therefore double-clicks the file a first time to decompress it, and a second time to attempt to “view” it.

Intego usually advises all Macintosh users to only download and open files and applications from trusted sources. In this case, however, users receive the Trojan horse via iChat from their buddies and are therefore likely to assume it is legitimate. So users should be additionally careful when receiving an unexpected attachment via iChat from someone in their buddy list. All users should update their virus definitions and never open files received by e-mail or iChat unless they are sure that these files are safe.

For detailed information about the Oompa-Loompa Trojan horse, including questions and answers, see

Leave a Reply