Get the ECT News Network Editor's Pick Newsletter » View Sample | Subscribe
Welcome Guest | Sign In

Mac Trojan Masquerades as MS Word Installer

By Staff Writer MacNewsWorld ECT News Network
May 13, 2004 12:37 PM PT

A new Trojan horse, created just for Mac OS X, has been discovered in the wild.

Mac Trojan Masquerades as MS Word Installer

Earlier this week, Macworld UK reported that one of its readers downloaded from LimeWire what looked to be an installer for a demo version of Microsoft Word 2004 for Macintosh, part of Microsoft's soon-to-be-released Office 2004. However, when the reader double-clicked the file, it erased everything in his home folder.

Brian Davis, U.S. sales manager at Intego, a provider of Internet security and privacy software for the Mac, said in an interview Thursday that copies of this Trojan horse have been located on peer-to-peer networks LimeWire and Gnutella, adding that Intego did not know the number of other users infected by this piece of malware.

Microsoft, Again

Although Microsoft does not appear to have any connection to the malicious code, the company nevertheless issued a response to the news. Mary Starman, Lead Product Manager for Microsoft's Macintosh Business Unit, issued a general statement to the media in which she reiterated that security is a primary concern for the company.

"Microsoft does not offer any Web downloads that use the icon identified as Trojan horse, MW2004," Starman said. "The best way to ensure that you have a legitimate copy of any Microsoft product is to purchase it through a licensed reseller or value-added reseller."

Starman also noted that the install icon for Microsoft Office 2004 can be found only in the product install wizard found on the retail CD-ROMs. Moreover, updates for the productivity suite will be available only through the Microsoft Web site or through the software's new AutoUpdate tool.

Scripted to Destroy

MW2004 is an AppleScript disguised with a custom icon. According to Davis, the AppleScript launches a powerful Unix command that launches the Trojan horse. While the code does not wreak the same havoc on earlier, non-Unix versions of the Mac OS, Intego has issued an advisory stating that it will freeze computers running Mac OS 9.

Although this particular Trojan horse cannot replicate itself, the advisory states that similar commands may have the potential to do greater damage. At the same time, Davis said the malware is no indication that the Mac OS has developed Windows-like security holes.

"Most people would agree, and Intego would concur that Mac OS X is more secure than Windows," he said. "We're unsure if we will ever see worms like Sasser on this platform, though we may see more activity as Mac OS X becomes more popular."

Different Flavors, Different Code

Despite having a Unix base, similar types of malicious code will most likely not run across all flavors of Unix, Bill Claybrook, vice president of Linux strategy at Harvard Research Group, told MacNewsWorld.

"The basic concept is the same, but [these different versions of Unix] would not take exactly the same code because the code is not exactly identical, even from Linux to Linux," Claybrook explained.

While the malware-writer would not have to rewrite the code from scratch, he or she would have to port and integrate that code into whichever flavor of Unix he or she is targeting.

For his part, Intego's Davis said that, as with any OS, users should always check any file out before downloading it -- even if it appears legitimate -- if it originates from an unregulated source.

Get your contact center ready step-by-step guide
Which in-person activity do you most want to resume when the pandemic is over?
Attend my place of worship
Frequent bars, clubs or restaurants
Gather with family or friends
Go to entertainment or sporting events
Join colleagues at work or business events
Participate in group athletics or exercise
Return to my school
Take my children to their school
Visit my health practitioners