The first really nasty Trojan to hits Macs slithered onto 600,000 Apple computers worldwide. F-Secure, a world leader in security, has posted a way to check and see if your Mac is infected and if so how to clean it up.
Please note that this is meant for experienced users and needs to be done carefully. Earlier this week Apple released a security update for all Macs. Please check to see that you have that update.
If you prefer, you can download and print the instructions here.
Caution: Manual disinfection is a risky process; it is recommended only for advanced users. Otherwise, please seek professional technical assistance. F-Secure customers may also contact our Support.
Manual Removal Instructions
- 1. Run the following command in Terminal:defaults read /Applications/Safari.app/Contents/Info LSEnvironment
- 2. Take note of the value, DYLD_INSERT_LIBRARIES
- 3. Proceed to step 8 if you got the following error message:”The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”
- 4. Otherwise, run the following command in Terminal:grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%
- 5. Take note of the value after “__ldpath__”
- 6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment
sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
- 7. Delete the files obtained in steps 2 and 5
- 8. Run the following command in Terminal:defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
- 9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:”The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”
- 10. Otherwise, run the following command in Terminal:grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%
- 11. Take note of the value after “__ldpath__”
- 12. Run the following commands in Terminal:defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
launchctl unsetenv DYLD_INSERT_LIBRARIES
- 13. Finally, delete the files obtained in steps 9 and 11.
Some Flashback variants include additional components, which require additional steps to remove. Please refer to ourTrojan-Downloader:OSX/Flashback.K description for additional information and removal instructions.