I went to that site and thought I'd do a "test run" of their disinfecting procedure. I entered their Instruction plutil -convert xml1 /Applications/Safari.app/Contents/Info.plist into Terminal but, instead of Plist Files, I got a Permission Denied response.
That plist is owned by root, so one would need to prepend
sudo and enter an admin password when prompted.
But i disagree with their instructions. There's no need to convert to xml at all. We can read or delete the offending key while it's still in "binary" form.
To read:
defaults read /Applications/Safari.app/Contents/Info LSMinimumSystemVersion
10.6.0
I used a
valid key there, to show how
normal output appears for a key that *
should* exist. (according to that key, Safari 5.1.1 requires a minimum OS of 10.6.0).
Now, let's try to read the bad guy:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
2011-11-10 13:53:26.696 defaults[80926:903]
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
Good, that key doesn't exist in my Safari plist. If anyone doesn't see that exact error, but instead gets some sort of "output"... then that's a problem.
I also tried their %malware_path% but got No such job.
Yeah well, the instructions provided by F-Secure are a little difficult to follow... so I'll try to clean it up.
Since they instructed folks to convert to xml format, here's how their version of the offending data
should look:
<key>LSEnvironment</key>
<dict>
<key>DYLD_INSERT_LIBRARIES</key>
<string>%malware_path%</string>
</dict>
If done using my
defaults read method, the output would be something more like this:
LSEnvironment = {
"DYLD_INSERT_LIBRARIES" = (
%malware_path%
);
};
So "%malware_path%" isn't anything to be entered as a command, but rather, it was their way of indicating that some sorta path string should be there, which tells us where the malware is located. E.g., instead of "%malware_path%" there would be a pathname:
/folder/folder/folder/file
maybe something like:
/Library/Printers/Epson/phony_file (idunno)
So —assuming one
is infected (i.e., my 2nd
defaults read example doesn't generate an error message) —then the way to 'disinfect' oneself is to delete whatever file or folder exists at the end of that "%malware_path%" location, and then delete the offending plist entry using:
sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment