Mac Flashback Trojan: Find Out If You're One of the 600,000 Infected

By Kyle Wagner on at

There's a new Mac trojan that's been floating around, and it's terrifying everyone. It's written in an unknown language, doesn't even need your password to compromise you, and now it's apparently infected 600,000 users. Here's how to use Terminal to check if you're one of the unlucky many.

The instructions come from F-Secure, which also details how you can remove the trojan if your Mac is, in fact affected. But let's not put the cart before the virus; here's how to see if you're clean. First, open Terminal from your Utilities folder. Then:

1. Run the following command in Terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

2. Take note of the value, DYLD_INSERT_LIBRARIES
3. Proceed to step 8 if you got the following error message:

"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

8. Run the following command in Terminal:

defaults read /.MacOSX/environment DYLD_INSERT_LIBRARIES

9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:

"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"

In other words: "does not exist" means you've got a healthy rig. Anything else, just keep following F-Secure's instructions to vanquish the intruder. And even if you get the all clear for now, don't wait on downloading the security update that patches the Java vulnerability that started this whole mess. [F-Secure via Ars]