How to Protect Yourself From The New Mac OS X Trojans

There seems to be a simpler way of deactivating ARD, keeping an eye on it
and activating it if and when needed.

In the Sharing panel of System Preferences hilite Apple Remote Desktop.

A hidden option becomes visible on the side "Show status in menu bar",
with a dimmed button underneath (Access Privileges). The list of access
privileges options can be seen after unlocking the Sharing panel and
clicking upon this button.

Check "Show status in menu bar".

A dimmed icon (telescope) appears in the menu bar.

When the telescope is left clicked a drop down window opens with three
options.

Not active (dimmed)
Message to Administrator (dimmed)
Open Remote Desktop Preferences (Not dimmed)

In order to make changes hilite the last option.

The sharing panel window will open. Click open the lock
and relock the panel after making the desired changes.

Any unauthorised attempt to tamper with ARD makes the telescope icon
quiver.

The users with stand alone machines whether desktops or laptops
can leave all the Services in the Sharing panel unchecked. Lock the
panel and forget about it. And if they want to to keep an eye on
ARD they can have the dimmed telescope in the menu bar.

Are there any concrete instances of this exploit and has the malicious code
been sent to, say, clamav database?

Can someone help me with this. I first found info on this trojan and tried running a few terminal commands to fix it.

I would get the 18:19:Syntax Error:No User interaction allowed. (-1713) when i would run the osascript -e 'tell app "ARDAgent" to do shell script "Whoami"'

and i run the other suggestions on the coreservices/remotemanagement folder

$ sudo defaults write /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info NSAppleScriptEnabled YES $ sudo plutil -convert xml1 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info.plist $ sudo chmod 644 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info.plist

so now i used just the standard finder to go to the coreservices folder. and i see a red negative symbol on the remotemanagement folder. And I do not have privileges to view this folder contents.

I am logged in as root. I am using OSX 10.3.9

can anyone tell me how to regain access to that remote management folder. I fear i am being exploited by this botnet setup. As I run a simple webserver using my old mac. And when i capture my TCPIP TCPDump packets, i see a message always stating in one of the packets, repeatedly. Saying my registry is corrupt and i should visit windowsregistryfix dot com to download a registry patch. So i am assuming my mac is sending out botneted popups to other computers.

I have otherwise locked down my mac in every other possible way. I am fairly mac savvy but really only a long term newby. MacOS7 to now, using.

any help with this would be greatly appreciated.

On Fri, Sep 5, 2008 at 8:36 AM, Mega Hertz <mysoundeditorsympatico.ca> wrote:
> So i am assuming my mac is sending out botneted popups to other computers.

Step 1 in this situation is to pull the Ethernet connection or turn
off the wireless (or both). Isolate the machine. Then fix it (which
may mean erasing the hard drive and starting over).

For those of us still using 10.3.9, would someone sum up the current best advice on avoiding, testing for, and if possible fixing this?

Is there any simple way to know the status of the machine by now?