Flashback-trojan infects 600.000 MacOS X computers including 274 from Cupertino

This is not a real email based threat but at MX Lab we thought to share the information to the public to warn about this.

Several news sites have published an article related to the Flashback-trojan that is infecting MacOS X computers. So far, 600.000 computers,according to the latest intel from DrWeb, have been identified as infected and are transformed into a bonnet. According to 274 computers from Apple at Cupertino are also infected.

The virus itself is called Trojan BackDoor.Flashback.39 and can be present on a computer after visiting a bogus site or via a traffic distribution system. Javascript is embedded in the HTML to load a Java-applet containg the exploit.

Compromised sites:

  • godofwar3.rr.nu
  • ironmanvideo.rr.nu
  • killaoftime.rr.nu
  • gangstasparadise.rr.nu
  • mystreamvideo.rr.nu
  • bestustreamtv.rr.nu
  • ustreambesttv.rr.nu
  • ustreamtvonline.rr.nu
  • ustream-tv.rr.nu
  • ustream.rr.nu
The Java exploit will save an executable to the hard drive. This application is used to download malware from a remote server.
You can quickly check if your Mac is infected with the trojan BackDoor.Flashback.39. Here is how:
  • Open Terminal (found in /Applications/Utilities/)
  • Type the command: defaults read /Applications/Safari.app/Contents/Info LSEnvironment
  • Terminal should return: The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
  • Type the command: defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
  • Terminal should return: The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

If Terminal returns both messages above after given the command, your Mac is not infected.

In the past, I also had discussions with people on blogs or forums regarding the statement “Get a Mac and you have no viruses or trojans”. I have always said in those discussions that an operating system, wether it is MacOS X, Windows, Unix or Linux, is not a guarantee that you are safe. Each system is vulnerable and MacOS X was in the past not a real target. This is now different because more people have a Mac and it is more tempting and rewarding to write a virus or trojan for MacOS X these days.


  • get a security application for your Mac and keep it up to date
  • disable Java on your Mac if you do not need it (also recommended for Windows users)

More information regarding the threat:


More information regarding removal of the trojan:

Apple Support: About the security content of Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7
F-Secure Trojan-Downloader:OSX/Flashback.I removal instrustions

Emails with ZIP attachment from Delta Airlines contains trojan

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject like:

Your ticket #ID6282
Download your ticket #2969
You can download your ticket #NR2881
Order #NR6758

The email is send from the spoofed address “Delta Air Lines <help9565@delta.com>” and has the following body:

Dear Customer,

ELECTRONIC TICKET NUMBER / 3 506 1139035813 3
DATE / TIME 16 April, 2012, 10:28 PM
ARRIVING / Fremont
REF / KE7146 ST / OK

Your bought ticket is attached.
You can print your ticket.

Thank you for using our airline company services.
Delta Air Lines.

The attached ZIP file has the name Delta_Air_Lines_Ticket_ID271-3714.zip and contains the 57 kB large file Delta_Air_Lines_Ticket_ID271-3714.exe (the numbers can change).

In one extraction we also found a folder named “ghnswdeW-sistem” with empty .txt files with random naming.

The trojan is known as Generic VB.i (McAfee), a variant of Win32/Injector.PVR (NOD32), Troj/Bredo-VJ (Sophos), Trojan.Smoaler (Symantec).

At the time of writing, only 12of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 60800d4034445370c07ec3d27d61144559038eaf46610b500dd17074825ad97c.