分析者: Rheniel Rhay Ramos   
 :

HEUR:Trojan-Spy.OSX.Aptordoc.b (Kaspersky) MacOS:Dok-D [Trj] (Avast)

 平台:

Mac OS X

 总体风险等级:
 潜在破坏:
 潜在分布:
 感染次数:
 信息暴露:

  • 恶意软件类型:
    Trojan

  • 有破坏性?:
    没有

  • 加密?:
    是的

  • In the Wild:
    是的

  概要

感染途徑: 从互联网上下载,或由其他恶意软件释放。

它修改受感染系统的HOSTS文件。它阻止用户访问某些网站。

  技术详细信息

文件大小: 38,864 bytes
报告日期: Mach-O
内存驻留: 是的
初始樣本接收日期: 2017年5月26日
Payload: 显示图形/图片

安装

它在受感染的系统中植入并执行下列自身副本:

  • /Users/Shared/AppStore.app

HOSTS文件修改

它修改受感染系统的HOSTS文件,阻止用户访问下列网站:

  • 127.0.0.1 localhost
  • 255.255.255.255 broadcasthost
  • ::1 localhost
  • 127.0.0.1 metrics.apple.com
  • 127.0.0.1 ocsp.apple.com
  • 127.0.0.1 su.itunes.apple.com
  • 127.0.0.1 ax.su.itunes.apple.com
  • 127.0.0.1 swscan.apple.com
  • 127.0.0.1 swcdn.apple.com
  • 127.0.0.1 swdist.apple.com
  • 127.0.0.1 a1.phobos.apple.com
  • 127.0.0.1 a101.phobos.apple.com
  • 127.0.0.1 a102.phobos.apple.com
  • 127.0.0.1 a103.phobos.apple.com
  • 127.0.0.1 a104.phobos.apple.com
  • 127.0.0.1 a105.phobos.apple.com
  • 127.0.0.1 a11.phobos.apple.com
  • 127.0.0.1 a12.phobos.apple.com
  • 127.0.0.1 a13.phobos.apple.com
  • 127.0.0.1 a14.phobos.apple.com
  • 127.0.0.1 a15.phobos.apple.com
  • 127.0.0.1 access.apple.com
  • 127.0.0.1 advertising.apple.com
  • 127.0.0.1 albert.apple.com
  • 127.0.0.1 ali.apple.com
  • 127.0.0.1 ams.apple.com
  • 127.0.0.1 apple.apple.com
  • 127.0.0.1 apple.com
  • 127.0.0.1 appleconnect.apple.com
  • 127.0.0.1 appleid-it.apple.com
  • 127.0.0.1 appleid.apple.com
  • 127.0.0.1 appleseed.apple.com
  • 127.0.0.1 appleseed3.apple.com
  • 127.0.0.1 appleseedtest.apple.com
  • 127.0.0.1 aps.info.apple.com
  • 127.0.0.1 ara.apple.com
  • 127.0.0.1 arait.apple.com
  • 127.0.0.1 asia.apple.com
  • 127.0.0.1 asw.apple.com
  • 127.0.0.1 atlaslms.apple.com
  • 127.0.0.1 av.apple.com
  • 127.0.0.1 benefits.apple.com
  • 127.0.0.1 beta.apple.com
  • 127.0.0.1 bugreport.apple.com
  • 127.0.0.1 bugreporter.apple.com
  • 127.0.0.1 c.apple.com
  • 127.0.0.1 calendar.apple.com
  • 127.0.0.1 certifications-test.apple.com
  • 127.0.0.1 certifications.apple.com
  • 127.0.0.1 certifications2.apple.com
  • 127.0.0.1 checkcoverage.apple.com
  • 127.0.0.1 checkrepair.apple.com
  • 127.0.0.1 concierge-mobile.apple.com
  • 127.0.0.1 concierge.apple.com
  • 127.0.0.1 consultants.apple.com
  • 127.0.0.1 cooljobs.apple.com
  • 127.0.0.1 deimos.apple.com
  • 127.0.0.1 deimos2.apple.com
  • 127.0.0.1 deimos3.apple.com
  • 127.0.0.1 deploy.apple.com
  • 127.0.0.1 developer.apple.com
  • 127.0.0.1 developer2.apple.com
  • 127.0.0.1 developertest.apple.com
  • 127.0.0.1 devforums.apple.com
  • 127.0.0.1 devimages.apple.com
  • 127.0.0.1 diagnostics.apple.com
  • 127.0.0.1 discussions.apple.com
  • 127.0.0.1 documentation.apple.com
  • 127.0.0.1 downloads.apple.com
  • 127.0.0.1 ecommerce.apple.com
  • 127.0.0.1 employment.apple.com
  • 127.0.0.1 enterprise.apple.com
  • 127.0.0.1 ep.sap.apple.com
  • 127.0.0.1 erp.apple.com
  • 127.0.0.1 esp-test.apple.com
  • 127.0.0.1 esp.apple.com
  • 127.0.0.1 euro.apple.com
  • 127.0.0.1 events.apple.com
  • 127.0.0.1 ext.apple.com
  • 127.0.0.1 ext1.apple.com
  • 127.0.0.1 extensions.apple.com
  • 127.0.0.1 files.apple.com
  • 127.0.0.1 gspa21.ls.apple.com
  • 127.0.0.1 gsx-it.apple.com
  • 127.0.0.1 gsx.apple.com
  • 127.0.0.1 gsxit.apple.com
  • 127.0.0.1 guide.apple.com
  • 127.0.0.1 help.apple.com
  • 127.0.0.1 hrweb.apple.com
  • 127.0.0.1 iad.apple.com
  • 127.0.0.1 iadworkbench.apple.com
  • 127.0.0.1 id.apple.com
  • 127.0.0.1 identity.apple.com
  • 127.0.0.1 iforgot.apple.com
  • 127.0.0.1 images.apple.com
  • 127.0.0.1 index.apple.com
  • 127.0.0.1 init.apple.com
  • 127.0.0.1 investor.apple.com
  • 127.0.0.1 iphone.apple.com
  • 127.0.0.1 itunes.apple.com
  • 127.0.0.1 itunespartner.apple.com
  • 127.0.0.1 jobs.apple.com
  • 127.0.0.1 k.apple.com
  • 127.0.0.1 lists.apple.com
  • 127.0.0.1 locate.apple.com
  • 127.0.0.1 macos.apple.com
  • 127.0.0.1 manuals.info.apple.com
  • 127.0.0.1 manuals01.info.apple.com
  • 127.0.0.1 manuals02.info.apple.com
  • 127.0.0.1 manuals03.info.apple.com
  • 127.0.0.1 manuals04.info.apple.com
  • 127.0.0.1 maps.apple.com
  • 127.0.0.1 mapsconnect.apple.com
  • 127.0.0.1 meetingroom.apple.com
  • 127.0.0.1 mfi.apple.com
  • 127.0.0.1 mobile.apple.com
  • 127.0.0.1 mobileaccess.apple.com
  • 127.0.0.1 movies.apple.com
  • 127.0.0.1 movietrailers.apple.com
  • 127.0.0.1 myaccess-it.apple.com
  • 127.0.0.1 myaccess.apple.com
  • 127.0.0.1 mynews.apple.com
  • 127.0.0.1 mystore.apple.com
  • 127.0.0.1 news.apple.com
  • 127.0.0.1 nr.apple.com
  • 127.0.0.1 opensource.apple.com
  • 127.0.0.1 podcastsconnect.apple.com
  • 127.0.0.1 portal.apple.com
  • 127.0.0.1 quicktime.apple.com
  • 127.0.0.1 radar.apple.com
  • 127.0.0.1 register.apple.com
  • 127.0.0.1 relay.apple.com
  • 127.0.0.1 relay1.apple.com
  • 127.0.0.1 relay11.apple.com
  • 127.0.0.1 relay12.apple.com
  • 127.0.0.1 relay13.apple.com
  • 127.0.0.1 relay14.apple.com
  • 127.0.0.1 relay15.apple.com
  • 127.0.0.1 relay2.apple.com
  • 127.0.0.1 relay3.apple.com
  • 127.0.0.1 relay4.apple.com
  • 127.0.0.1 relay5.apple.com
  • 127.0.0.1 remoteadvisor.apple.com
  • 127.0.0.1 remoteadvisor1.apple.com
  • 127.0.0.1 remoteadvisor2.apple.com
  • 127.0.0.1 reportaproblem.apple.com
  • 127.0.0.1 s.apple.com
  • 127.0.0.1 safari-extensions.apple.com
  • 127.0.0.1 sales.apple.com
  • 127.0.0.1 salesresources.apple.com
  • 127.0.0.1 school.apple.com
  • 127.0.0.1 selfsolve.apple.com
  • 127.0.0.1 servers.apple.com
  • 127.0.0.1 service.apple.com
  • 127.0.0.1 sift.apple.com
  • 127.0.0.1 signin.apple.com
  • 127.0.0.1 signin.info.apple.com
  • 127.0.0.1 source.apple.com
  • 127.0.0.1 ssl.apple.com
  • 127.0.0.1 sso.apple.com
  • 127.0.0.1 store.apple.com
  • 127.0.0.1 support.apple.com
  • 127.0.0.1 support01.apple.com
  • 127.0.0.1 support02.apple.com
  • 127.0.0.1 support03.apple.com
  • 127.0.0.1 support04.apple.com
  • 127.0.0.1 support05.apple.com
  • 127.0.0.1 supportprofile.apple.com
  • 127.0.0.1 supporttest.apple.com
  • 127.0.0.1 survey.apple.com
  • 127.0.0.1 survey2.apple.com
  • 127.0.0.1 swdlp.apple.com
  • 127.0.0.1 time.apple.com
  • 127.0.0.1 time1.apple.com
  • 127.0.0.1 time2.apple.com
  • 127.0.0.1 time3.apple.com
  • 127.0.0.1 time4.apple.com
  • 127.0.0.1 time5.apple.com
  • 127.0.0.1 tips.apple.com
  • 127.0.0.1 trailers.apple.com
  • 127.0.0.1 training.apple.com
  • 127.0.0.1 trainingevents.apple.com
  • 127.0.0.1 uptodate.apple.com
  • 127.0.0.1 volume.apple.com
  • 127.0.0.1 war.apple.com
  • 127.0.0.1 www1.apple.com
  • 127.0.0.1 wwwtest.apple.com
  • 127.0.0.1 xml.apple.com
  • 127.0.0.1 xp.apple.com
  • 127.0.0.1 xp2.apple.com
  • 127.0.0.1 virustotal.com
  • 127.0.0.1 www.virustotal.com

  解决方案

最小扫描引擎: 9.850
First VSAPI Pattern File: 13.466.08
VSAPI 第一样式发布日期: 2017年6月12日
VSAPI OPR样式版本: 13.467.00
VSAPI OPR样式发布日期: 2017年6月13日

Step 1

搜索和删除这些文件

[ 更多 ]
有些组件文件可能是隐藏的。请确认在"高级选项"中已选中搜索隐藏文件和文件夹复选框,使查找结果包括所有隐藏文件和文件夹。
  • /Users/YOUR USERNAME/Library/LaunchAgents/com.apple.Safari.proxy.plist
  • /Users/YOUR USERNAME/Library/LaunchAgents/com.apple.Safari.pac.plist
 DATA_GENERIC_FILENAME_1
  • 查找范围下拉列表中,选择
  • 我的电脑然后回车确认。
  • 一旦找到,请选择文件,然后按下SHIFT+DELETE彻底删除文件。
  • 对剩余的文件重复第2到4步:
      • /Users/YOUR USERNAME/Library/LaunchAgents/com.apple.Safari.proxy.plist
      • /Users/YOUR USERNAME/Library/LaunchAgents/com.apple.Safari.pac.plist

    • Step 2

    使用趋势科技产品扫描计算机,并删除检测到的OSX_DOK.C文件 如果检测到的文件已被趋势科技产品清除、删除或隔离,则无需采取进一步措施。可以选择直接删除隔离的文件。请参阅知识库页面了解详细信息。