Originally Posted By: ryck
I went to that site and thought I'd do a "test run" of their disinfecting procedure. I entered their Instruction plutil -convert xml1 /Applications/Safari.app/Contents/Info.plist into Terminal but, instead of Plist Files, I got a Permission Denied response.

That plist is owned by root, so one would need to prepend sudo and enter an admin password when prompted.

But i disagree with their instructions. There's no need to convert to xml at all. We can read or delete the offending key while it's still in "binary" form.

To read:

defaults read /Applications/Safari.app/Contents/Info LSMinimumSystemVersion
10.6.0

I used a valid key there, to show how normal output appears for a key that *should* exist. (according to that key, Safari 5.1.1 requires a minimum OS of 10.6.0).

Now, let's try to read the bad guy:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment
2011-11-10 13:53:26.696 defaults[80926:903]
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

Good, that key doesn't exist in my Safari plist. If anyone doesn't see that exact error, but instead gets some sort of "output"... then that's a problem.


Originally Posted By: ryck
I also tried their %malware_path% but got No such job.

Yeah well, the instructions provided by F-Secure are a little difficult to follow... so I'll try to clean it up.

Since they instructed folks to convert to xml format, here's how their version of the offending data should look:
Code:
	<key>LSEnvironment</key>
	<dict>
		<key>DYLD_INSERT_LIBRARIES</key>
		<string>%malware_path%</string>
	</dict>

If done using my defaults read method, the output would be something more like this:
Code:
	LSEnvironment =  {
		"DYLD_INSERT_LIBRARIES" =  (
			%malware_path%
		);
	};


So "%malware_path%" isn't anything to be entered as a command, but rather, it was their way of indicating that some sorta path string should be there, which tells us where the malware is located. E.g., instead of "%malware_path%" there would be a pathname:

/folder/folder/folder/file

maybe something like:

/Library/Printers/Epson/phony_file (idunno)

So —assuming one is infected (i.e., my 2nd defaults read example doesn't generate an error message) —then the way to 'disinfect' oneself is to delete whatever file or folder exists at the end of that "%malware_path%" location, and then delete the offending plist entry using:

sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment

Last edited by Hal Itosis; 11/10/11 06:40 PM. Reason: added sudo to the last command :-)