Yeah, finally there is a trjoan for Mac OS X that does the job.
In few days more than 600.000 Mac have been infected by this trojan.
F-Secure has published a simple procedure to remove the trojan from your Mac, here you are the steps you have to follow:
Manual Removal Instructions
1. Run the following command in Terminal:
# defaults read /Applications/Safari.app/Contents/Info LSEnvironment
2. Take note of the value, DYLD_INSERT_LIBRARIES
3. Proceed to step 8 if you got the following error message:
"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"
4. Otherwise, run the following command in Terminal:
grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2%
5. Take note of the value after "__ldpath__"
6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):
# sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment
# sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
7. Delete the files obtained in steps 2 and 5
8. Run the following command in Terminal:
# defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:
"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"
10. Otherwise, run the following command in Terminal:
# grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%
11. Take note of the value after "__ldpath__"
12. Run the following commands in Terminal:
# defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
# launchctl unsetenv DYLD_INSERT_LIBRARIES
13. Finally, delete the files obtained in steps 9 and 11.
14. Run the following command in Terminal:
# ls -lA ~/Library/LaunchAgents/
15. Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.
16. Run the following command in Terminal:
# defaults read ~/Library/LaunchAgents/%filename_obtained_in_step15% ProgramArguments
17. Take note of the path. If the filename does not start with a ".", then you might not be infected with this variant.
18. Delete the files obtained in steps 15 and 17.
Note:
Apple released its security update on Tuesday. If you have Java installed on your Mac — update now.
Gg1