OnyX icon

Malware

List and definitions of malware recognized by XProtect:

OSX.28a9883
Apple has identified this malware but has not disclosed its capabilities, its effects, or the identity of its creator.

OSX.Abk.A
This is a spyware program (also named Aobo) that can steal information from your computer. It records keystrokes and passwords, takes screenshots at regular intervals, runs in stealth mode, and sends the created logs of information to an email address or FTP server specified by the attacker.

OSX.AceInstaller.B.1
AceInstaller is a potentially unwanted application that installs additional packaged apps such as MPlayer OSX Extended and MacKeeper. It is downloaded from a fake Adobe Flash Player webpage or from websites that offer cracks for various Mac applications. Sometimes, it displays advertising during the installation process. Users have reported problems with computer stability after running AceInstaller.

OSX.AceInstaller.B.2
This is a variant of the OSX.AceInstaller.B.1 application.

OSX.AdLoad.A
AdLoad is adware that installs an additional program to display and download unwanted advertisements and toolbars to your device; it is privacy-invasive. Some of these toolbars may track your browsing behaviors and change your browser homepage and main search engine.

OSX.AdLoad.B.1
This is a variant of the OSX.AdLoad.A adware.

OSX.AdLoad.B.2
This is a variant of the OSX.AdLoad.A adware.

OSX.AdPlugin.i
AdPlugin (also named Yontoo) is a trojan horse that is packaged as a media player or download manager plug-in. It is distributed on underground file-sharing and movie trailer websites. After it is installed, it pretends to be a player called Twit Tube, but it installs the Yontoo plug-in. This plug-in will work in all web browsers to track your browsing behaviors and then present ads on legitimate websites.

OSX.AdPlugin2.i
This is a variant of the OSX.AdPlugin.i trojan horse.

OSX.ATG15.B
This is a trojan horse.

OSX.Bundlore.A
The Bundlore adware (also named Agent-Q, Bnodlero, and WebHelper) is a collection of adware applications with varying names probably made by the same group. It delivers advertisement content and is privacy-invasive. This set of malware includes toolbars, intrusive and fraudulent applications, multi-offer installers, free versions of commercial products that display advertising, and software that is funded by advertising.

OSX.Bundlore.B
This is a variant of the OSX.Bundlore.A adware.

OSX.Bundlore.D
This is a variant of the OSX.Bundlore.A adware.

OSX.CoinThief.A
CoinThief (also named StealBit) is a trojan horse designed to steal bitcoins from infected computers. It is disguised as an application intended to be used for sending and receiving bitcoin payments. It was available on GitHub for a while—pretending to be an open-source application named StealthBit. After it is installed, the malware can snoop on all web browsing and bitcoin-related activities and can communicate with a command-and-control server to transmit stolen information to the hackers and receive new updates.

OSX.CoinThief.B
This is a variant of the OSX.CoinThief.A trojan horse.

OSX.CoinThief.C
This is a variant of the OSX.CoinThief.A trojan horse.

OSX.CrossRider.A
CrossRider is a potentially unwanted application that installs an additional program to display and download unwanted advertisements and toolbars to your device; it is privacy-invasive. It is bundled within custom installers on many download websites like BrotherSoft, CNET, and Softonic.

OSX.DevilRobber.A
DevilRobber (also named CoinMiner and Miner-D) is a trojan horse that opens a backdoor to a remote server on port 1900 of the infected computer. The threat may arrive on the computer through a BitTorrent application. After it is installed, it uses the resources of the infected computer to mine bitcoins and steal information.

OSX.DevilRobber.B
This is a variant of the OSX.DevilRobber.A trojan horse.

OSX.Dok.A
This is a trojan horse (also named Bella) that downloads as a file named Dokument.zip. It can hijack and sniff all the traffic entering and leaving a Mac without your knowledge. This includes SSL/TLS-encrypted connections, because it installs a local digital certificate that overrides normal man-in-the-middle warnings and protections.

OSX.Dok.B
This is a variant of the OSX.Dok.A trojan horse.

OSX.eicar.com.i
Eicar is not true malware—it's a test detection file that is used to test antivirus software. By default, the filename is Eicar.com, but it may be renamed to any other name.

OSX.Eleanor.A
This is a trojan horse (also named Backdoor.MAC.Eleanor) that pretends to be a document utility called EasyDoc Converter. It opens a backdoor and can steal information from the infected computer. It can send email, capture images and videos from the webcam, upload files, open a remote shell, run commands and scripts, manage files and tasks, explore SQL databases, and update the trojan.

OSX.ExtensionsInstaller.A
ExtensionsInstaller is a potentially unwanted application. It displays unwanted offers and advertisements, changes the browser settings, and redirects it without any action on your part.

OSX.FileSteal.i
FileSteal (also named Hackback and KitM) is a trojan horse that steals information from the infected computer. When this trojan runs, it searches for files with these filename extensions: .doc, .docx, .eml, .emlx, .fdf, .fdr, .fdx, .idx, .knt, .kwd, .log, .lst, .lwp, .jpeg, .jpg, .mbox, .msg, .mw, .pages, .pdf, .ppt, .pptx, .tiff, .txt, .wpr, .xls, and .xlsx. It compresses them into a file with a .zip filename extension and uploads it to a remote server.

OSX.FileSteal.ii
This is a variant of the OSX.FileSteal.i trojan horse.

OSX.Findzip.A
Findzip (also named Filecoder) is a file-encrypting ransomware (probably written in Swift) that contains programming errors. It is not signed, which makes it harder to install. It comes disguised as a cracking application for Adobe Premiere Pro CC 2017, Microsoft Office 2016, and probably other applications, and is being distributed on BitTorrent file-sharing networks.

OSX.FkCodec.i
FkCodec (also named Codec-M, FakeCodec, and Smokec) is adware. It is a Safari browser extension that can collect browsing information from the infected computer in order to display advertisements.

OSX.FlashBack.A
FlashBack (also named Flashfake) is a trojan horse that is disguised as an Adobe Flash Player installer; it exploits a vulnerability in Java. It gathers information (HW.machine, kernel information, machine type, OS information, password, and user ID) from the infected computer. The trojan downloads more files on the infected computer by connecting to the 31.31.79.87 IP address. The trojan deletes itself if certain applications (Avast Mac Security, ClamXav, Little Snitch, VirusBarrier, Xcode, and so on) are present on the computer.

OSX.FlashBack.B
This is a variant of the OSX.FlashBack.A trojan horse.

OSX.FlashBack.C
This is a variant of the OSX.FlashBack.A trojan horse.

OSX.Genieo.A
This is a potentially unwanted application. It is a heuristic detection used to detect risks associated with the potentially unwanted application Genieo.

OSX.Genieo.B
This is a variant of OSX.Genieo.A—a potentially unwanted application.

OSX.Genieo.C
This is a variant of OSX.Genieo.A—a potentially unwanted application.

OSX.Genieo.D
This is a variant of OSX.Genieo.A—a potentially unwanted application.

OSX.Genieo.E
This is a variant of OSX.Genieo.A—a potentially unwanted application.

OSX.Genieo.G
This is a variant of OSX.Genieo.A—a potentially unwanted application.

OSX.Genieo.G.1
This is a variant of OSX.Genieo.A—a potentially unwanted application.

OSX.GenieoDropper.A
This is a variant of OSX.Genieo.A—a potentially unwanted application.

OSX.GetShell.A
GetShell (also named ExploitKit.gen, MetaData, SET.gen, ShellCode, and TESrel) is a trojan horse that downloads remote files and opens a backdoor on the infected computer. An infected website asks for your permission to run a file that contains the .jar filename extension. This malicious file determines your operating system and then downloads and launches an installer. The trojan can also create administrator accounts on the affected computer.

OSX.HellRTS
HellRTS (also named HellRaiser and Pinhead) is a trojan horse that opens a backdoor on the infected computer. It was first seen as an installer for iPhoto. It can open a chat window; play music, videos, or show pictures; take screenshots of the desktop; log out of, restart, shut down, or hibernate the computer; browse the storage device and retrieve, upload, or modify its contents; run AppleScripts; open web addresses specified by the attacker; send emails using the remote email client; launch an interactive remote shell; adjust the sound volume; open the CD-ROM tray; access or modify the content of the clipboard; and use Spotlight on the remote computer.

OSX.HiddenLotus.A
HiddenLotus is a trojan horse. This is an application that is disguised as an Adobe Acrobat file originally named Lê Thu Hà (HAEDC).pdf, but the d in the extension is a Roman numeral, not a letter.

OSX.Hmining.A
This is adware that changes your home page and main search engine.

OSX.Hmining.A.2
This is a variant of the OSX.Hmining.A adware.

OSX.Hmining.B
This is a variant of the OSX.Hmining.A adware.

OSX.Hmining.C
This is a variant of the OSX.Hmining.A adware.

OSX.Hmining.D
This is a variant of the OSX.Hmining.A adware.

OSX.iKitten.A
iKitten (also named MacDownloader) is a malware agent. It is packaged as both an installer for Adobe Flash Player and the Bitdefender Adware Removal Tool, but it extracts system information and copies of macOS keychain databases. This malware is poorly written and doesn't persist in memory after you restart your computer; however, by this time, your passwords might have already been stolen.

OSX.InstallCore.A
InstallCore (also named AssetsChanger and InstallMiez) is adware that delivers advertisement content to you and is privacy-invasive. This set of malware includes toolbars, multi-offer installers, intrusive and fraudulent applications, free versions of commercial products that display advertising, and software that is funded by advertising.

OSX.InstallImitator.A
InstallImitator (also named FlashImitator) is adware.

OSX.InstallImitator.B
This is a variant of the OSX.InstallImitator.A adware.

OSX.InstallImitator.C
This is a variant of the OSX.InstallImitator.A adware.

OSX.InstallImitator.D
This is a variant of the OSX.InstallImitator.A adware.

OSX.Iservice.A
Iservice (also named iWorkServices and Krowi) is a trojan horse that opens a backdoor on the infected computer. The remote attacker can use many remote commands. The trojan is shared through BitTorrent, is typically distributed over peer-to-peer sharing networks, and is bundled with a modified copy of the iWork '09 trial application. The bundle contains part of the legitimate iWork '09 trial package and also the iWorkServices.pkg malicious package. Infected computers become part of a botnet (a group of hijacked computers) and are used to attack websites.

OSX.Iservice.B
This is a trojan horse that opens a backdoor on the infected computer. The remote attacker can use many remote commands. The trojan is shared through BitTorrent, is typically distributed over peer-to-peer sharing networks, and is bundled in a file with a .zip filename extension as a crack with a copy of the Adobe Photoshop application. Infected computers become part of a botnet (a group of hijacked computers) and are used to attack websites.

OSX.iWorm.A
iWorm is a botnet. It opens a port on an infected computer and awaits an incoming connection. It sends a request to a remote site to acquire a list of control servers using the search service at reddit.com and then connects to the remote servers and waits for instructions. It can record the OS type, the bot version, the bot Unique Identifier, or a value from the configuration file; set a parameter value in the configuration file; remove all parameters from the configuration file; get bot uptime; send a GET query; download a file; open a socket for an inbound connection and then run the commands received; run an operating system instruction; put the computer to sleep; ban a node by IP, clear the list of banned nodes; get the node list, a node IP, a node type, and node port; and run a script.

OSX.iWorm.B
This is a variant of the OSX.iWorm.A botnet.

OSX.iWorm.C
This is a variant of the OSX.iWorm.A botnet.

OSX.KeRanger.A
This is ransomware that is disguised as a copy of the Transmission BitTorrent client. It encrypts files on the infected computer and asks you to pay in bitcoins to decrypt them.

OSX.LaoShu.A
This is a trojan horse that arrives on the infected computer through spam emails, disguised as a PDF file. It opens a backdoor and connects to a remote server. It can steal information and upload it to the remote server.

OSX.Leverage.A
This is a trojan horse that is downloaded from a fake Adobe webpage and that pretends to be an Adobe Flash Player installer. It opens a backdoor on the infected computer. After it is installed, it connects to the command-and-control server and sends information about the infected Mac. This trojan also installs a permanent backdoor that allows the attacker to send a variety of commands.

OSX.Leverage.a
This is a trojan horse that is disguised as an image file. It hides itself from the Dock and Command-Tab application switching and opens the JPEG file inside the application bundle with the Preview application. After it is installed, it connects to the command-and-control server on port 7777. This trojan installs a permanent backdoor that allows the attacker to send a variety of commands.

OSX.MacDefender.A
MacDefender (also named Defma, MacGuard, MacProtector, MacSecurity, and MacShield) is a potentially unwanted application. It is downloaded from fake antivirus websites that claim to have detected viruses on your Mac. These sites are reached using malicious JavaScripts that are injected into legitimate websites and that redirect you to the malicious antivirus site (often called something similar to Apple Security Center). Clicking a button on the malicious site results in the downloading of an installer. After it is installed, this malware opens porn sites at regular intervals to convince you that your computer is infected with a virus and to fool you into spending money on the software to remove the virus.

OSX.MacDefender.B
This is a variant of OSX.MacDefender.A—a potentially unwanted application.

OSX.Machook.A
Machook (also named WireLurker) is a trojan horse that was originally distributed with pirated applications from third-party application stores. It may spread to connected iOS or iPadOS devices through infected computers. It can contact a malicious domain and send reports back to it. The trojan can download updates of itself, check whether the attached iOS or iPadOS device is jailbroken, spread to other iOS or iPadOS applications, and detect whether a USB device has been added or removed. It can steal your serial number, phone number, model number, product version, Apple ID, product type, hardware serial number, list of installed applications, first name, last name, and contact information of received text messages.

OSX.Machook.B
This is a variant of the OSX.Machook.A trojan horse.

OSX.MaControl.i
MaControl (also named MacKontrol and Tibet) is a trojan horse that opens a backdoor on the infected computer and is linked to Tibetan activist organizations. It may arrive as spam emails and phishing emails and relies on Java vulnerabilities. The remote attacker can close the connection to the remote location and end the threat; collect information and send it back to the remote server; send the process list of the computer to the remote server; end processes; fork running processes; retrieve the install path of the trojan; run and delete files; send files, user status, and information to the remote server; log out the current user; put the computer to sleep; and restart or shut down the computer.

OSX.Mdropper.i
Mdropper (also named Lamadai, Olyx, Sabpab, and Sabpub) is a trojan horse that exploits a vulnerability in older versions of Java or Microsoft Office to open a backdoor on the infected computer by connecting to the 121.254.173.57 IP address; it does not require your interaction. It creates a LaunchAgent named www.google.com.tstart.plist so that the threat runs automatically. This trojan can download and upload files; create, delete, and run files; obtain system information; and open a shell prompt.

OSX.Mughthesec.A
OSX.Mughthesec.A is adware that displays advertisements and can download and install potentially unwanted applications on your computer.

OSX.Mughthesec.B
This is a variant of the OSX.Mughthesec.A adware.

OSX.NetWeird.i
NetWeird (also named Wirenet) is a trojan horse that opens a backdoor on the infected computer. It can connect to a command-and-control server, run remote commands, install applications, retrieve information on running processes, retrieve system information, steal mail application and browser passwords, and take screenshots.

OSX.NetWeird.ii
This is a variant of the OSX.NetWeird.i trojan horse.

OSX.Netwire.A
Netwire (also named NetWeirdRC) is a remote access tool that can spy on you through the infected computer and can perform various actions. After it is installed, it calls home to the IP address 212.7.208.65 on port 4141 and waits for instructions. It can take screenshots; install new files; perform commands remotely; gather system information and information about what programs are running; and steal encrypted Firefox, Opera, SeaMonkey, and Thunderbird passwords. This malware is inactive after restarting your computer, and it will remain dormant unless it is manually restarted or removed. It adds itself to the login items, but this does not succeed in restarting the malware; it will only open your home folder at login instead.

OSX.OpinionSpy
OpinionSpy (also named PremierOpinion and Spynion) is spyware that may be distributed with and installed by other Mac applications available online (screen savers, video converters, and so on). These applications retrieve the OpinionSpy program and install it during their own installation. It can open an HTTP backdoor, scan and analyze all accessible files, scan and analyze transmitted network data, and send encrypted data to a remote server.

OSX.OpinionSpy.B
This is a variant of the OSX.OpinionSpy spyware.

OSX.ParticleSmasher.A
ParticleSmasher (also named Proton) is a trojan horse that opens a backdoor, steals information, and downloads potentially malicious files on the infected computer. It can upload, download, and run files, and steal keychains and cookies.

OSX.Proton.A
This is a trojan horse that opens a backdoor, steals information, and downloads potentially malicious files on the infected computer. It can upload, download, and run files, and steal keychains and cookies.

OSX.Proton.B
This is a variant of the OSX.Proton.A trojan horse.

OSX.Prxl.2
Prxl (also named Fucobha, Hormesu, and Icefog) is an interactive espionage tool that opens a backdoor on the infected computer. It can steal information, download and run potentially malicious files from a remote server, upload files to a remote server, and run arbitrary commands.

OSX.QHost.WB.A
QHost (also named HostMod-A) is a trojan horse that is disguised as an Adobe Flash Player installer. After it is installed, it adds entries in the hosts file to hijack your attempts to visit various Google sites by redirecting them to the 91.224.160.26 IP address, which is located in the Netherlands. The server at the IP address displays a fake webpage similar to the official Google site.

OSX.Revir.A
Revir (also named Imuler and Muxler) is a trojan horse that downloads other files on the infected computer. When the trojan is run, it displays a PDF file that contains Chinese language text. This is done to direct attention away from its malicious activities. It drops a file that runs a curl command to download and run another file.

OSX.Revir.ii
This is a variant of the OSX.Revir.A trojan horse.

OSX.Revir.iii
This is a variant of the OSX.Revir.A trojan horse.

OSX.Revir.iv
This is a variant of the OSX.Revir.A trojan horse.

OSX.RSPlug.A
RSPlug (also named DNSChanger, Jahlav, and Puper) is a trojan horse that changes the DNS settings on the infected computer. It is downloaded using browser exploits (generally as a video codec to view porn videos) or through social engineering. It modifies the DNS servers settings and updates crontab to run a script to make sure it stays changed. It then sends the processor type, the Universally Unique Identifier, and the hostname to the 85.255.121.37 IP address. Infected computers will use a malicious DNS server, which will redirect requests for certain sites (banks, eBay, and so on) to phishing servers, in an attempt to steal account passwords that can be used to make money.

OSX.SMSSend.i
This is a trojan horse (also named Hoax.ArchSMS and SMSMonster) that requests that you send an SMS message to a premium-rate phone number to complete the installation. The trojan is packaged as an installer.

OSX.SMSSend.ii
This is a variant of the OSX.SMSSend.i trojan horse.

OSX.Trovi.A
Trovi is a homepage or browser hijacker that is installed by browser extensions or add-ons. It is bundled with freeware to promote Trovi Search and to make money using advertisements within the search results. After it is installed, the default search engine and homepage for the browser are replaced with Trovi.com. It is not a malicious process, but it does change security settings within your browser.

OSX.Vindinstaller.A
Vindinstaller (also named FkCodec-B) is a trojan horse.

OSX.VSearch.A
VSearch (also named Downlite and SearchProtect) is adware that installs a browser toolbar and modifies the default search engine for web browsers. It must be installed manually and is usually bundled with third-party installers or download managers. It can connect with many domains while installing to track the installation, retrieve configuration information, or download components.

OSX.XAgent.A
XAgent (also named Komplex and Sofacy) is backdoor malware linked to the Russian threat group APT 28. It can log keystrokes, steal passwords, take screenshots, and detect the presence of iOS or iPadOS backups that could be used to steal sensitive information stored in those backups to further compromise personal data stored on iPhones and iPads.

OSX.XcodeGhost.A
XcodeGhost is a compiler malware that steals information from the infected computer. It is packaged through a modified Xcode installer obtained from an unofficial source. When this installer is used to create an application, the trojan ensures that the created application will contain code to steal information. It can steal a computer's application bundle identifier; current time; operating system version; language and country used; and device name, type, and Universally Unique Identifier. It can send the stolen information to a location using HTTP POST.