Industry guru Dave Taylor offers tech support on technical and business topics, including iPhone, iPod, Microsoft Windows, Sony PSP, cellphones, online advertising, CSS, Web design, business, Unix, Linux, SEO, Mac OS X, and shell script programming.     


What's the scoop with the Mac OS X virus "Leap.A"?

A virus on the Mac. Gadzooks, what's next? Spyware? Ug. Meanwhile, can you tell us a bit more about this code, how it works and how we can avoid being infected?


Dave's Answer:

It's amazing how the hype machine works in the computer industry, actually. When I'm using my PC, I am constantly exposed to viruses, spyware, adware and other malicious applications, scripts and attachments, but when someone releases a pretty lame virus on the Mac - if it's even that at all - and suddenly Chicken Little pops out of the woodwork and tells us that the sky is falling.

It's not. In fact, this isn't much of a virus, more of a trojan horse and a "social engineering" experiment at that, because what you would see is a compressed tar archive (filename suffix ".tgz") that contains an executable script that simply has a JPEG graphic icon associated with it.

Let's have a look!

First off, you'd have to actively download or otherwise save the file that contains this executable, masquerading as a JPEG file. Here's how it would look to the Finder as a package and once it's unpacked:

Mac OS X Virus: LatestPics.tgz / Leap.A worm

I admit, it's pretty legitimate looking, but if you're a reasonably safe computer user, you'd either drop this graphic onto your graphics program or try to open it in same: Here's what happens when GraphicConverter tries to open this "JPEG" image:

Mac OS X Virus: GraphicConverter trying to open latestpics / Leap.A worm

Hmmm... it's greyed out, so I can't select it. Most strange!

Let's have a look at the file's Get Info box instead:

Mac OS X Virus: Get Info on latestpics / Leap.A worm

So there's the warning bell: it's a Unix Executable File not a "JPEG" graphic image at all.

Now, to be fair, I have been known to just double-click on a JPEG image to open it up, and that would cause trouble in this case. But I never open up attachments from strangers and don't even visit unknown sites without using a rarely-launched browser, etc.

By this point, you should be completely paranoid about this: any executable that's masquerading as a JPEG image is clearly up to no good, so rather than opening it, your best bet is to drag it to the trash and then empty the trash ASAP to ensure you don't have any problems down the road.

Rather than talk about how this works, a topic that's very well covered by Andrew Welch over at Ambrosia SW, I'd just like to highlight that when you download even the most innocuous files from discussion boards, get attachments from unknown parties, or even get email with attachments from people you know with oddly succinct message bodies like "check this out", be suspicious.

If nothing else, use our friend Get Info in the Finder to check out the details of the attachment and never, never, never run random executables that aren't from a known and trusted source.

And yes, at this point it might well be useful to get some sort of antivirus application for your Mac, unfortunately, and at the least, make sure you aren't running as the "admin" user for your day-to-day activities on the 'net.

Read more about the Mac OS X Leap.A virus / worm / trojan horse:

  •   Andrew Welch @ Ambrosia SW
  •   Rob Griffiths and Kirk McElhearn @ Macworld
  •   F-Secure's official page on Leap.A
  •   Symantec's Threat Information Page on OSX.Leap.A


More Useful Mac OS X Help Articles:
✔   Audacity can't find LAME library, I can't save Mp3?
Hey Dave. I read your article Audacity can't save mp3 audio files and am still puzzled because I downloaded the LAME Mp3 converter...
✔   How to remove Dashboard as a "space" in Mac OS X Spaces?
I'm a big fan of the Spaces utility in Mac OS X that lets me have multiple virtual screens [see Set Up Mac...
✔   Best place to buy a cheap MacBook laptop?
Hi Dave. I am looking for two gently used MacBook laptops for my teen daughters. Personal computers would greatly facilitate their studies as...
✔   File too big error copying to USB flash drive on my Mac?
I'm baffled. I have a 16GB Kingston USB flash drive that I use on my Mac system and I'm trying to copy a...
✔   Stealth image capture photo from webcam on my Mac?
Someone sneaks into my cubicle while I'm at lunch and takes candy out of my desk. Petty, but stupid too. I want to...

Let's stay in touch!
Sign up for my weekly AskDaveTaylor Newsletter and you'll receive even more tech and gadget help right to your inbox, along with exclusive news and industry updates. It's good stuff. I promise!
    Enter your name: and your email addr:  





Categorized: Mac OS X Help   (Article 5958, Written by )
Tagged: mac os x virus, mac trojan horse, mac virus, oomps-a
Previous: How do I get my Nintendo DS to connect to the Internet?
Next: Connect to the Internet with my Sony PSP?




Reader Comments To Date: 3

Bob said, on March 5, 2006 5:07 PM:

Apple has rapidly released a Security Update to block this and a few other methods of trying to sneak malicious software onto your Mac. It still pays to be wary of anything you download from the Internet (including email and chat clients.

Bob said, on April 28, 2007 10:09 PM:

Could some one tell me where where to get the file (latestpics.tgz)?

Claudia said, on October 22, 2007 2:19 PM:

When my husband sends me an e-mail with an attachment, such as an Excel sheet from his PC, (latest model) I invariably receive it in my MAC as a dat file, which I can't open. Is there a conversion program I can download or something?

Starbucks coffee cup I do have a lot to say, and questions of my own for that matter, but first I'd like to say thank you, Dave, for all your helpful information by buying you a cup of coffee!

I do have a comment, now that you mention it!











I will never send you any unsolicited email. Ever.






Check This Out Too...

 
Look for Answers
Need Help? Ask Dave Taylor!


Follow Me on Pinterest

Find Me on Google+
ADT on G+
© 2002 - 2013 by Dave Taylor. All Rights Reserved.

Note: This web site is for the purpose of disseminating information for educational purposes, free of charge, for the benefit of all visitors. We take great care to provide quality information. However, we do not guarantee, and accept no legal liability whatsoever arising from or connected to, the accuracy, reliability, currency or completeness of any material contained on this web site or on any linked site. Further, please note that by submitting a question or comment you're agreeing to my terms of service, which are: you relinquish any subsequent rights of ownership to your material by submitting it on this site. My lawyer says "Thanks".
"Ask Dave Taylor®" is a registered trademark of Intuitive Systems, LLC.