How do I remove it?
If after running the first three detection commands you find that your system does contain the modified files and you suspect it has the malware installed, then you can go about removing it using F-Secure’s manual removal instructions. These instructions are a bit in-depth, but if you follow them exactly, then you should be able to rid the system of the infection:
Open the Terminal and run the following commands (the same as above):
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info LSEnvironment
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
When these commands are run, make a note of the full file path that is output to the terminal window (it may be paired with the term “DYLD_INSERT_LIBRARIES”). For each of the commands that output a file path (and do not say the domain pair does not exist), copy the full file path section and the run the following command with the file path in place of FILEPATH in the command (copy and paste this command):
grep -a -o ‘__ldpath__[ -~]*’ FILEPATH
Locate the files mentioned in the output of the above commands, and delete them. If you cannot locate them in the Finder, then for each first type “sudo rm” in the terminal followed by a single space, and then use your mouse cursor to select the full file path from the first command’s output, and use Command-C followed by Command-V to copy and paste it back into the Terminal. Then press Enter to execute the command and remove this file.
See the following screenshot for an example of how this should look:
After running the command and revealing the path to the malware file, copy the path to the "sudo rm" command on a new line as is shown here to have the system delete it. (Credit: Screenshot by Topher Kessler/CNET)
When you have deleted all the files references by the “defaults” commands above, then you have removed the malware files, but you still need to reset the altered applications and account files, so to do this run the following commands:
sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment
sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
sudo defaults delete /Applications/Firefox.app/Contents/Info LSEnvironment
sudo chmod 644 /Applications/Firefox.app/Contents/Info.plist
defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
launchctl unsetenv DYLD_INSERT_LIBRARIES
In the Finder, go to the Go menu and select Library (hold the Option key in Lion to reveal this option in the menu), and then open the LaunchAgents folder, where you should see a file named something like “com.java.update.plist.” Next, type the following command into the Terminal (Note: change the name of “com.java.update” in the command to reflect the name of the file before its .plist suffix):
defaults read ~/Library/LaunchAgents/com.java.update ProgramArguments
When this command is completed, press Enter and note the file path that has been output to the Terminal window.
As you did previously, locate this file in the Finder and delete it, but if you cannot do so then type “sudo rm” followed by a single space, and then copy and paste the output file path into the command and press Enter.
To remove any hidden .so files found earlier, you can remove them by running the following command in the Terminal (be sure to copy and paste this command, as there should be absolutely no spaces in the last component that contains the symbols and punctuation marks):
sudo rm ~/../Shared/.*.so
After this step is complete, remove the file called “com.java.update.plist” and you should be good to go.
