04-18-2012 02:42 PM
They're in the virus definition files... usually in the IDE files in the IDE folder. You're not going to find loose identities floating around; there are millions of identities, and they operate in all sorts of different ways.
When looking at the FlshPlyr family, the various detections actually overlap a bit, and indicate the kind of detection more than the specific release version of Flashback that is detected by them.
That said, most of the drive-by version of Flashback will be picked up by OSX/Flshplyr-D, and if by some chance it got itself installed prior to your scan (on-access scanning disabled, for example), you'll detect the other files as OSX/Flshplyr-E. Certain edge cases could show up as OSX/FlshPlyr-B.
OSX/FlshPlyr-A generally detects on the older variants that used the PDF and Flash exploits; OSX/FlshPlyr-C detects the malicious installer itself (where the end user has to run the PKG file and intentionally install Flashback).
All identities go through continuous updating to improve both the performance of the detection scans and the proactiveness of the detection logic. The analyses also get updated from time to time, to provide more information/change the threat prevalence, etc.
I hope that helps.
04-21-2012 01:07 PM
I did the Sophos scan and my quarantine manager has an alert.. OSX/Flshplyr-E .... (/Users/Shared/Infected/.SafariArchive.tar.gz)....
04-21-2012 02:20 PM
/Users/Shared/Infected/.SafariArchive.tar.gz looks to me like a "quarantine and move" path. Best to just clean it up from the quarantine manager. The file itself begins with a dot, so would be invisible without ls -a in the Terminal (and the finder).
In short, that's lot a location where Flashback can actually do any harm, so you're not likely currently "infected" -- but you do have the remnants of the malware lurking somewhere -- possibly just in the quarantine manager with the actual files already cleaned up.