Macworld: News: Leap-A malware: what you need to know 2

This is good information for Mac users. Apparently Leap-A is not (yet) too great a threat. Cutting to the chase:

How would this thing get on my machine?

The only way you can get the Leap-A malware on your machine is if you take some action to put it there yourself. You might receive a file from a buddy in iChat, or download something from the Internet, or open an attachment to an e-mail message. The program code is presently hiding in what claims to be pictures of OS X 10.5, Apple’s next major OS X upgrade. To get Leap-A on your machine, you must (a) receive the file, which is compressed; (b) expand the archive; and (c) double-click what appears to be an image file to execute the code. You cannot get the malware by simply browsing the Internet, reading e-mail, or chatting with friends in iChat.

What makes Leap-A trickier to detect, of course, is the fact that it’s disguised as something else. We have some advice below on how to avoid accidentally infecting your machine with Leap-A.

That said, I went looking for Leap-A to test how it behaves on a secured machine. It wasn’t easy to find, and even when I did find a version, its behavior didn’t seem to match that described by Andrew Welch. My applications were not infected, and nothing was sent via iChat. Of course, over time, other versions may be released with more widespread distribution, so my inability to readily find Leap-A may not always be the case.

And, more to the point:

How can I tell if I have the Leap-A malware on my machine?

Open your user’s Library folder, then the InputManagers folder, and look for a folder named apphook. If it’s there, you have it. Note that future versions of the malware may change this name, so it might be worth noting what’s installed there now, just in case. Note that this folder is not a standard part of OS X, and you’ll only have it if you’ve installed certain add-on programs such as SafariStand, Sogudi, or Chax.

All I had was SafariStand…


Leave a Reply

2 thoughts on “Macworld: News: Leap-A malware: what you need to know

  • Cb

    Well, it wasn’t advice so much as a statement.
    According to the Journal, Apple said:
    “Leap-A is not a virus, it is malicious software that requires a user to download the application and execute the resulting file. Apple always advises Macintosh users to only accept files from vendors and Web sites that they know and trust.”

    BUT, one should read the complete Macworld article I linked which says:
    Is this a virus, a worm, malware, or a Trojan horse?

    Technically, it’s a bit of everything. It’s a virus, in the sense that it attaches itself to other executable code on your Mac. It’s a worm, in that it attempts to self-replicate and spread from machine to machine. It’s a piece of malware, because it can do bad things to your computer. Basically, it’s a piece of malware that’s delivered via a Trojan horse and then acts in both viral and wormy ways.