TUCOWS ARTICLE

How to remove Inqtana.A

Surely every operating system is at a risk for worm and viruses, but this is the second one for MacOS X in less than a week.
Published: Feb 19, 2006
Author: lward
Related OS: OS X

According to Symantec "OSX.Inqtana.A is a proof of concept worm that runs on Macintosh OS X and spreads by exploiting a the Apple Mac OS X BlueTooth Directory Traversal Vulnerability". Symantec states the threat as being wild but easy to contain and remove.

The following information is obtained from the Symantec site:

Technical details

1. Creates the following files:

  • w0rm-support.tgz
  • com.openbundle.plist
  • com.pwned.plist

2. Exploits the Apple Mac OS X BlueTooth Directory Traversal Vulnerability (as described in Bugtraq ID 13491) to create the following files:
  • /Users/w0rm-support.tgz
  • /Users/InqTest.class
  • /Users/com.openbundle.plist
  • /Users/com.pwned.plist
  • /Users/libavetanaBT.jnilib

3. Creates the following folders, adding nonmalicious files used to run the worm:
  • /Users/javax
  • /Users/de

4. Creates the following two files, so that it starts when the Mac OS X starts:
  • /Users/[USER NAME]/Library/LaunchAgents/com.pwned.plist
  • /Users/[USER NAME]/Library/LaunchAgents/com.openbundle.plist

5. Searches for other Bluetooth-enabled devices to accept OBEX Push requests when the computer is restarted. If found, the worm attempts to send itself to the remote computer.

Note: The worm attempts to spread by using a time limited demo version of the Avetana library, which is bound to a Bluetooth address. As a result of this the worm may not be able to spread successfully.

Now that you've received that information, I'm sure you'd like to know how to be rid of it if you're computer is infected. I'll do what I did with the last threat, I'll paste the removal instructions that Symantec provides:

Removal instructions

1. Delete the following files:

  • /Users/w0rm-support.tgz
  • /Users/InqTest.class
  • /Users/com.openbundle.plist
  • /Users/com.pwned.plist
  • /Users/libavetanaBT.jnilib
  • /Users/[USER NAME]/Library/LaunchAgents/com.pwned.plist
  • /Users/[USER NAME]/Library/LaunchAgents/com.openbundle.plist

2. Delete the following folders:
  • /Users/javax
  • /Users/de

Looks as thought people are finding more and more flaws in the security of OS X. Hopefully your machine has not been compromised, but if it has, I hope this will help you.

The worm information (technical and removal) was aquired from the Symantec Security Response center.


About lward

I'm looking for a friend who likes...oh wait, wrong entry! Lindsey has worked for Tucows for a long time--August of 1999, to be exact. Minus a little down time in 2001, but we wont talk about that. As of now, she's working on maintaining the Mac side of the site, as well as giving everyone the hot movie wallpapers and screen savers that seem to be popular. When Lindsey is not at Tucows, she likes to enjoy her few-and-far-between off-times playing games, being with friends and family, and making sure her cat Sugar is getting the massive amount of attention he demands......ermm, deserves.

Digg This
Please login to add your comment
Leave A Comment
Name: