Hi Ronni, thanks for the details but I think it is safe to say James has not gone down this path as he NEVER opens his emails. So for that reason, it is highly unlikely. I will nonetheless get his confirmation that he hasn't opened any emails and specifically one with a Zip folder in it.
So if I am correct and it is a red herring the dokument.zip scenario, what else could it be? WCE have made a good start though a long way to go. Regards Pete > On 29 Apr 2017, at 12:32 PM, Ronni Brown <ro...@mac.com> wrote: > > > Hi Peter, > > For James to have been infected by OSX.Dok. James would have needed to > install it! And he would have to go through quite a number of steps & windows > to install it. > You have indicated that James is pretty competent in these things, so lets > hope you are correct. As this is a new very nasty Malware and the malware is > able to have continued root-level permission without continuing to request > for an admin password. > --- > “OSX.Dok comes in the form of a file named Dokument.zip, which is found being > emailed to victims in phishing emails. Victims primarily are located in > Europe. > > Apple has already revoked the certificate used to sign the app, so, at this > point, anyone who encounters this malware will be unable to open the app and > unable to be infected by it. > > If the user clicks past this warning to open the app, it will display a > warning that the file could not be opened, which is simply a cover for the > fact that no document opened: > > Interestingly, this window cannot be dismissed, as the OK button does not > respond. Further, the app will remain stuck in this mode for quite some time. > If the user becomes suspicious at this point and attempts to force quit the > app, it will not show up in the Force Quit Applications window and in > Activity Monitor, it will appear as “AppStore.” > > If the user manages to force this “AppStore” app to quit, however, all is not > yet okay. The malware dropper will have copied itself onto the /Users/Shared/ > folder and added itself to the user’s login items so it will re-open at the > next login to continue the process of infecting the machine. > > After several minutes, the app will obscure the entire screen with a fake > update notification. > “OS X Updates Available - A security issue has been identified in a OS X > software product etc etc.” > > If James did continue to this stage his Mac is probably infected with this > Malware. > > Malwarebytes Anti-Malware for Mac will detect the important components of > this malware as OSX.Dok, disabling the active infection. However, when it > comes to the other changes that are not easily reversed, which introduce > vulnerabilities and potential behavior changes, additional measures will be > needed. > For people who don’t know their way around in the Terminal and the arcane > corners of the system, it would be wise to seek the assistance of an expert, > or erase the hard drive and restore the system from a backup made prior to > infection. > > Please post back more information from James as to exactly what were the > details of the below “certificate pop up screen”? A what happened after he > click “Accept” >>> "certificate pop up come up on screen" to which he pressed Accept >>> > > I’m hoping it is not the malware and can be rectified without an erase of the > hard drive and restore the system from a previous backup made prior to > infection. > > > Cheers, > Ronni > > 13-inch MacBook Air (April 2014) > 1.7GHz Dual-Core Intel Core i7, Turbo Boost to 3.3GHz > 8GB 1600MHz LPDDR3 SDRAM > 512GB PCIe-based Flash Storage > > macOS Sierra 10.12.4 > > >> On 29 Apr 2017, at 10:33 am, Pat <clamsh...@iinet.net.au> wrote: >> >> There is a report in today’s online news about a new malware targeting Macs >> calle OSX/Dok. The first symptom is a pop-up message about a new OSX update. >> Don’t update! It is a trojan that can bypass Gatekeeper. Apparently it is >> signed with a valid developer certificate and attacks all kinds of Mac. >> >> Pat >> >> >> >>> On 29 Apr 2017, at 08:57, petercr...@westnet.com.au wrote: >>> >>> My son's (James) MacBook Pro (~2011) has been updated to Sierra 10.12.4 >>> since he went on school holidays. He went back to school this week and was >>> unable to gain access into the school IT environment using the school wifi. >>> He had previously had no problem at last time in school when running El >>> Capitan. He called me this morning as I am FIFO at the moment in sunny >>> Hedland and using Facetime we proved a few things. He was able to access >>> the school IT environment by using the home WIFI network without a hitch. >>> This problem therefore arises when he is at school in the school wifi >>> environs. >>> >>> He indicated to me when first attempting to connect to the school >>> environment via the installed VMware he had a "certificate pop up come up >>> on screen" to which he pressed Accept. My suspicion is that has something >>> to do with his access problem though may be a Sierra related issue >>> potentially. He took it to his school IT team on Friday who said "you need >>> to go to the App store and do an update". He told them he is at the latest >>> OSX 10.12.4, there is no further update - I think they're fobbing him off >>> and copping out because they don't actually know the problem and solution. >>> But neither do I, however I admit to it. James is pretty competent in these >>> things but we're both stumped right now. >>> >>> >>> Any clues by anyone on similar issues? >>> >>> >>> Regards >>> >>> >>> Pete. >>> > > -- The WA Macintosh User Group Mailing List -- > Archives - <http://www.wamug.org.au/mailinglist/archives.shtml> > Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml> > Settings & Unsubscribe - > <http://lists.wamug.org.au/listinfo/wamug.org.au-wamug>
-- The WA Macintosh User Group Mailing List -- Archives - <http://www.wamug.org.au/mailinglist/archives.shtml> Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml> Settings & Unsubscribe - <http://lists.wamug.org.au/listinfo/wamug.org.au-wamug>