Backdoor:MacOS/Longage.A is a backdoor trojan that allows an unauthorized user to access and control your computer. The trojan is in a fat Mach-O binary format, and therefore runs on two architectures: PowerPC (which is supported by a variety of operating systems, including Mac OS), and i386 (which is supported by certain versions of Mac).
Installation
Backdoor:MacOS/Longage.A copies itself as the following:
/Library/launched
To make sure that it automatically runs in your computer, Backdoor:MacOS/Longage.A installs a "Launchd" property list file in the "LaunchAgents" folder as follows:
~/Library/LaunchAgents/com.apple.FolderActionsxl.plist
This property list file states that the backdoor runs only once, when you log in.
Distributed via....
Malicious Microsoft word documents
Backdoor:MacOS/Longage.A has been observed embedded in specially-crafted Microsoft Word documents exploiting a known vulnerability. The vulnerability has been resolved with the release of Microsoft Security Bulletin MS09-027. The malicious word document is detected as Exploit:MacOS_X/MS09-027.A.
Payload
Allows backdoor access and control
Backdoor:MacOS/Longage.A connects to a certain IP address via a specific port indicated in its code. Once connected, Backdoor:MacOS/Longage.A sends following information about your computer:
- Operating system version
- Physical RAM size
- Logon name of the current user
The connection also allows a remote unauthorized user to perform the following actions:
- Gather information about your computer
- Send a list of currently-running processes
- Kill processes
- Run or delete files
- Receive files from, or send files to, a remote server
- Uninstall Backdoor:MacOS/Longage.A
- Send an Apple event to initiate your computer to sleep, restart, shut down and log out
- Open a bash shell command prompt
Analysis by Methusela Cebrian Ferrer