OSX/Sabpab-A is a backdoor Trojan.
It creates the files /Users/<user>/Library/Preferences/com.apple.PubSabAgent.pfile (the malicious software) and /Users/<user>/Library/LaunchAgents/com.apple.PubSabAgent.plist (to make it persistent).
It has the ability to upload and download files as well as run arbitrary commands and take a screenshot.
Most infections were installed without user intervention, due to the abuse of Exp/20120507-A, which was only patched on OS X several weeks after a patch was available for other operating systems.
At this point, OSX/Sabpab-A is not cleaned up on Time Machine backups. This can be manually cleaned up within time machine by deleting the above mentioned pfile and plist files.
Examples of OSX/Sabpab-A include:
Example 1
File Information
- Size
- 42K
- SHA-1
- 5c148e37b863a9ce8e5ba9f7c95637149a3b3926
- MD5
- 40c8786a4887a763d8f3e5243724d1c9
- CRC-32
- 10f29b46
- File type
- Unspecified binary - probably data
- First seen
- 2012-04-16
Other vendor detection
- Kaspersky
- Backdoor.OSX.SabPub.a
Example 2
File Information
- Size
- 189K
- SHA-1
- 5cd35cba058e8897185857be32d2789dea575b92
- MD5
- cb435d29d1f925d273599c28cf30f9c7
- CRC-32
- 1dcab67d
- File type
- Unspecified binary - probably data
- First seen
- 2012-11-25
Example 3
File Information
- Size
- 189K
- SHA-1
- 7de942aff57ea5784214fcfdf273b9007f03a42e
- MD5
- dd292154e824f72d3a1915b673d18245
- CRC-32
- 24efbb90
- File type
- Unspecified binary - probably data
- First seen
- 2012-11-26