OSX/Sabpab-A

    Category: Viruses and SpywareProtection available since:13 Apr 2012 21:55:11 (GMT)
    Type: TrojanLast Updated:16 Apr 2012 15:26:42 (GMT)
    Prevalence: Small Number of Reports

    Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

    OSX/Sabpab-A is a backdoor Trojan.

    It creates the files /Users/<user>/Library/Preferences/com.apple.PubSabAgent.pfile (the malicious software) and /Users/<user>/Library/LaunchAgents/com.apple.PubSabAgent.plist (to make it persistent).

    It has the ability to upload and download files as well as run arbitrary commands and take a screenshot.

    Most infections were installed without user intervention, due to the abuse of Exp/20120507-A, which was only patched on OS X several weeks after a patch was available for other operating systems.

    At this point, OSX/Sabpab-A is not cleaned up on Time Machine backups.  This can be manually cleaned up within time machine by deleting the above mentioned pfile and plist files.

    Examples of OSX/Sabpab-A include:

    Example 1

    File Information

    Size
    42K
    SHA-1
    5c148e37b863a9ce8e5ba9f7c95637149a3b3926
    MD5
    40c8786a4887a763d8f3e5243724d1c9
    CRC-32
    10f29b46
    File type
    Unspecified binary - probably data
    First seen
    2012-04-16

    Other vendor detection

    Kaspersky
    Backdoor.OSX.SabPub.a

    Example 2

    File Information

    Size
    189K
    SHA-1
    5cd35cba058e8897185857be32d2789dea575b92
    MD5
    cb435d29d1f925d273599c28cf30f9c7
    CRC-32
    1dcab67d
    File type
    Unspecified binary - probably data
    First seen
    2012-11-25

    Example 3

    File Information

    Size
    189K
    SHA-1
    7de942aff57ea5784214fcfdf273b9007f03a42e
    MD5
    dd292154e824f72d3a1915b673d18245
    CRC-32
    24efbb90
    File type
    Unspecified binary - probably data
    First seen
    2012-11-26

    Download Sophos HomeDownload
    Sophos Home

    Free business-grade security for the home.

    Endpoint Protection