Sophos Anti-Virus for Mac Home Edition

turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
Employee Agile
Employee
Agile
Posts: 1,191
Registered: ‎11-02-2010
0

Re: Flashback ..

Options

‎04-18-2012 02:42 PM

They're in the virus definition files... usually in the IDE files in the IDE folder.  You're not going to find loose identities floating around; there are millions of identities, and they operate in all sorts of different ways.

 

When looking at the FlshPlyr family, the various detections actually overlap a bit, and indicate the kind of detection more than the specific release version of Flashback that is detected by them. 

 

That said, most of the drive-by version of Flashback will be picked up by OSX/Flshplyr-D, and if by some chance it got itself installed prior to your scan (on-access scanning disabled, for example), you'll detect the other files as OSX/Flshplyr-E.  Certain edge cases could show up as OSX/FlshPlyr-B. 

 

OSX/FlshPlyr-A generally detects on the older variants that used the PDF and Flash exploits; OSX/FlshPlyr-C detects the malicious installer itself (where the end user has to run the PKG file and intentionally install Flashback). 

 

All identities go through continuous updating to improve both the performance of the detection scans and the proactiveness of the detection logic.  The analyses also get updated from time to time, to provide more information/change the threat prevalence, etc.

 

I hope that helps.

-
Andrew
Threat Researcher
SophosLabs

For our other self-service and peer-to-peer online support systems:

Report Inappropriate Content
Message 11 of 13 (4,840 Views)
 
Reply
farmboysurfer
Occasional Visitor
farmboysurfer
Posts: 1
Registered: ‎04-21-2012
0

Re: Flashback ..

Options

‎04-21-2012 01:07 PM

Greetings... 

 

I did the Sophos scan and my quarantine manager has an alert..  OSX/Flshplyr-E .... (/Users/Shared/Infected/.SafariArchive.tar.gz)..... 3 weeks agao I did an update to system which supposedly fixed the java vulnerablitly... I am confused cause I have used TERMINAL and cut an pasted several paths and they say DOES NT EXIST... therefore I assumed I had no trojan... So if the Sophos gave me an alert, but the Terminal cannot find any existing paths... Do I have the Flashback virus? Sorry if this is confusing... I am not a tech but average user.....

Report Inappropriate Content
Message 12 of 13 (4,754 Views)
 
Reply
Employee Agile
Employee
Agile
Posts: 1,191
Registered: ‎11-02-2010
0

Re: Flashback ..

Options

‎04-21-2012 02:20 PM

/Users/Shared/Infected/.SafariArchive.tar.gz looks to me like a "quarantine and move" path.  Best to just clean it up from the quarantine manager.  The file itself begins with a dot, so would be invisible without ls -a in the Terminal (and the finder).

 

In short, that's lot a location where Flashback can actually do any harm, so you're not likely currently "infected" -- but you do have the remnants of the malware lurking somewhere -- possibly just in the quarantine manager with the actual files already cleaned up.

-
Andrew
Threat Researcher
SophosLabs

For our other self-service and peer-to-peer online support systems:

Report Inappropriate Content
Message 13 of 13 (4,753 Views)
 
Reply