Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Mac.BackDoor.iWorm

Added to the Dr.Web virus database: 2014-09-05

Virus description added:

A backdoor targeting OS X. The Trojan is written in С++ and Lua and uses encryption extensively.

Depending on the type of the data received, the backdoor can execute numerous commands. Moreover, it can also execute Lua scripts. Basic commands used for the received Lua scripts are encrypted as follows:

socks  
system  
httpget  
httpgeted  
rand  
sleep
banadd  
banclear
p2plock
p2punlock  
nodes  
lea
fs  
unknowns  
p2pport  
p2pmode
p2ppeer
port  
p2ppeertype  
set  
get  
clear  
platform  
script  
uptime  
uid  
ver  
addn

Basic backdoor commands for Lua scripts can be used to perform the following actions:

  • Get the OS type
  • Get the bot version
  • Get the bot UID
  • Get a value from the configuration file
  • Set a parameter value in the configuration file
  • Remove all parameters from the configuration file
  • Get the bot uptime
  • Send a GET request
  • Download a file
  • Open a socket for an inbound connection and then execute the received commands
  • Execute a system command
  • Go to sleep mode
  • Add a node IP to the list of banned nodes
  • Clear the list of banned nodes
  • Get the node list
  • Get a node IP
  • Get a node type
  • Get a node port
  • Execute a nested Lua script

Currently, the following features are available (in addition to functions performed with Lua scripts):

  • Send the UID
  • Send the information about the open port
  • Add new bots (those that are already connected and those whose addresses are received in the command) to the node list
  • Relay traffic (data received via one socket is relayed to another socket without any alterations)
  • Connect to the host specified in the command
  • Execute Lua scripts

News about this threat
Technical details of this threat

Curing recommendations


macOS

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040