Fake "Word 2004 Demo" trojan horse distributed

A Macworld UK story covers a trojan horse for Mac OS X -- disguished as an installer for a "demo" version of Microsoft Word 2004 -- circulating through file sharing networks such Limewire and Gnutella. Launching the "demo installer" allows it to erase your entire home directory.

A clue that this isn't really a real demo installer is that the file is just over 100k but purports to install the full version of Word 2004. If you download such a file, or receive it from another user, do not try to launch or open it. (According to a Microsoft spokesperson quoted in the Macworld UK article, "Microsoft does not currently offer any Web downloads for Microsoft Office 2004...customers should always download from www.microsoft.com/mac.")

The trojan is simply an AppleScript application with a custom installer icon. When the application is launched, it uses AppleScript's ability to execute Unix shell commands in order to run a command that deletes the user's home folder. Since the user is the owner of his/her home directory, no authentication is needed.

Intego has accounced that the latest virus definitions for its VirusBarrier X anti-virus utility have been updated to protect against this trojan. We expect other OS X anti-virus developers to announce similar updates soon.

Resources