How to Remove the OSX.RSPlug.A Trojan Horse from your Mac

Contributor

By Alexia Petrakos
eHow Contributing Writer

Article Rating:

(16 Ratings)

Remove the OSX.RSPlug.A Trojan Horse from your Mac

So far the only malicious software known to infect Macintosh Computers is called the OSX.RSPlug.A, a rather insidious Trojan Horse. It's not exactly a virus since it doesn't replicate itself, but it can cause some damage. The only way to get this malware on your computer is to download and install it, and enter in your administrator password.

This malware has been distributed by a video of a certain less-than-sane celebrity. As people have downloaded this video, they've received a message saying they don't have the proper codec to view it, and they're offered the "proper" codec as a download. When the "codec" is installed, it asks for your administrator password which gives it the permissions to run wild on your system.

The Trojan changes DNS information that re-routes all your web traffic to pornography and phishing sites. If you happen to know how to fix this and do, the Trojan Horse will change the DNS information back so your web surfing will still be compromised.

Here's how to identify if you have the Trojan, and what to do to remove it both with Virus Barrier and manually (if you're brave).

Difficulty: Moderately Challenging

Instructions

Things You'll Need:

Apple Computer running Mac OS X (10.4 +)
Virus Barrier or other Anti-Virus Software (highly recommended)

Step 1

Update and run your anti-virus software. This is the preferred method to remove the Trojan Horse and repair the damage caused by the malware. If you choose not to use AV software, continue, but be very cautious.
Step 2

Go to your root "Library" Folder. Click on your Hard Drive icon in the Finder and select the "Library Folder".
Step 3

Navigate to the "Internet Plug-Ins" Folder.
Step 4

See if there's a "plugins.settings" file in this folder. If that file is not in this folder, you're not infected.
Step 5

Delete "plugin.settings". Either drag it to the Trash on your Dock or hit the Command Key and Delete at the same time.
Step 6

Empty your trash. Right-click or Control-click the Trash icon on the Dock and select "Empty Trash".
Step 7

Open "Terminal" (Applications > Utilities).
Step 8

Type in "sudo crontab -l" (the letter L, and minus the quotes), hit Return, and enter your administrator password when asked. If it returns with anything other than "crontab: no crontab for root", you are most likely infected.
Step 9

Type in "sudo crontab -r" (minus the quotes) and enter your administrator password. This will remove the scheduled "cron" job that modifies your Mac's DNS information.
Step 10

Re-type "sudo crontab -1" (minus the quotes) to make sure that the delete process worked. If it did, you should see "crontab: no crontab for root".
Step 11

Type "exit" (minus the quotes) in Terminal.
Step 12

Restart your computer. Your Mac should now be clean!

Tips & Warnings

Do not download anything from untrusted sources. This is the best protection against viruses and other malware for any computer, including Macs.
Be careful with the Terminal. If you're not familiar with it, make sure you pay attention to what you're typing and double-check before you hit the Return key.
Symantec and McAfee's Anti-virus programs as well as other legitimate software may schedule cron jobs. Following the Manual Removal steps will remove these legitimate cron jobs too. If you have an anti-virus program installed, use it first before attempting a manual removal.

Resources

Comments

wwcan said

Flag This Comment

on 7/6/2009 Thanks Alexia. I also removed it via Terminal. Your instructions are great.

TallT said

Flag This Comment

on 9/17/2008 I ran into the same situation as dennispeeters, regarding the Quicktime Plugin appearance after the terminal command.

But what confuses me and hasn't permitted me to cure my Mac is that I get the question:
remove crontab for root? (with a question mark)

And I don't know how to respond to that!
I tried typing "yes", and tried typing "sudo crontab -1 and -r
but no good results and never have I seen the message that shows that the problem has been resolved; i.e., "crontab: no crontab for root".

Thanks,
Terry

emilythestrange said

Flag This Comment

on 7/9/2008 Thanks very much for this tip. I removed the trojan manually via the terminal and am no longer getting redirected from the google search results page, which was extremely annoying...

Cheers!

dennispeeters said

Flag This Comment

on 12/29/2007 Posted this on the MacWorld site, thought it might be usefull for some people here, cause it adds some info: the plugins.settings file is not the only one you have to remove in some instances:

Phew...... showed my first trojan horse the door..... Thank you for the great how-to!
Glad I recently conquered my Terminal-shyness, otherwise this would really have been a sweaty-hands-affair.

One thing puzzles me though.
sudo crontab -l got this result:
* * * * * "/Library/Internet Plug-Ins/QuickTime.xpt">/dev/null 2>&1
Which is weird... I guess... it's got a different name, even more misleading, maybe this links to the other one? Deleted (copied ofcourse) the Quicktime.xpt file also, just in case.
Can anyone shed some light on this one? I still have the file if you're interested.

+Edit: I've now figured out that the two files are practically identical, bar some quotes here and the