How to find and remove the OSX.RSPlug.A malware

Oct 31, '07 12:00:00PM

Contributed by: robg

As reported in many places, including Macworld, there's a new OS X malware in the wild, first reported by Intego, who named it OSX.RSPlug.A (where do they get these names?).

I spent some time this morning looking at this malware, and wrote this article explaining how to find out if you've been infected, and how to remove the programs if you have. If you want all the details, you can read the article. If you just want to know how to remove the malware, here's the simple process:

  1. In the Finder, navigate to /Library -> Internet Plug-Ins, and delete the file named plugins.settings. Empty the trash. This deletes the tool that sets the rogue DNS Server information.
  2. In Terminal, type sudo crontab -r and provide your admin password when asked. This deletes the root cron job that checks the DNS Server settings. You can prove it worked by typing sudo crontab -l; you should see the message crontab: no crontab for root.
  3. Open your Network System Preferences panel, go to the DNS Server box, and copy the entries you can see to a Stickies note, TextEdit document, or memorize them. Now retype those same values in the box, then click Apply.
  4. Reboot your Mac.
The only people who should be infected today are those who have broken the number one rule of internet computing: don't download and install programs (especially those that are (a) package installers that (b) request your admin password) from untrusted sources. However, because this particular trick could be used on any sort of potentially popular site, I thought I'd share the simple how-to, as well as the links above for more details.

As OS X grows in popularity, I expect that this type of thing will become more commonplace.

Comments (16)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20071031114140862