Leap virus
Encyclopedia
The Leap or Oompa-Loompa computer virus
is an application-infecting, LAN
-spreading worm for Mac OS X
discovered in February 2006.
Leap cannot spread over the Internet
, and can only spread over a local area network
reachable using the Bonjour
protocol. On most networks this limits it to a single IP
subnet
.
instant messaging
program as a gzip
-compressed tar
file called latestpics.tgz. For the worm to take effect, the user must manually invoke it by opening the tar file and then running the disguised executable within.
The executable is disguised with the standard icon of an image file, and claims to show a preview of Apple's next OS. Once it is run, the virus will attempt to infect the system.
For non-"admin" users, it will prompt for the computer's administrator password in order to gain the privilege to edit the system configuration. It doesn't infect applications on disk, but rather when they are loaded, by using a system facility called "apphook".
Leap only infects Cocoa
applications, and it does not infect applications owned by the system (including the apps that come pre-installed on a new machine), but only apps owned by the user who is currently logged in. Typically, that means apps that the current user has installed by drag-and-drop, rather than by Apple's installer system. When an infected app is launched, Leap tries to infect the four most recently used applications. If those four don't meet the above criteria, then no further infection takes place at that time.
Bonjour buddy list. It does not spread using the main iChat buddy list, nor over XMPP
. (By default, iChat does not use Bonjour and thus cannot transmit this virus.)
Leap does not delete data, spy on the system, or take control of it, but it does have one harmful effect: due to a bug in the virus itself, an infected application will not launch. This is helpful in that it prevents people from continuing to launch the infected program unawares.
is avoiding launching files from untrusted sources. An existing admin account can be "declawed" by unchecking the box "Allow this user to administer this computer." (At least one admin account must remain on the system in order to install software and change vital system settings, even if it is an account created solely for that purpose.)
Recovering after a Leap infection involves deleting the virus files and replacing infected applications with fresh copies. It does not require re-installing the OS, since system-owned applications are immune.
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
is an application-infecting, LAN
Län
Län and lääni refer to the administrative divisions used in Sweden and previously in Finland. The provinces of Finland were abolished on January 1, 2010....
-spreading worm for Mac OS X
Mac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
discovered in February 2006.
Leap cannot spread over the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
, and can only spread over a local area network
Local area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...
reachable using the Bonjour
Bonjour (software)
In computing, Bonjour is Apple Inc.'s trade name for its implementation of Zeroconf, a group of technologies that includes service discovery, address assignment, and name resolution...
protocol. On most networks this limits it to a single IP
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
subnet
Subnetwork
A subnetwork, or subnet, is a logically visible subdivision of an IP network. The practice of dividing a network into subnetworks is called subnetting....
.
Delivery and infection
The Leap worm is delivered over the iChatIChat
iChat is an instant messaging software application developed by Apple Inc. exclusively for its Mac OS X operating system. It has audio, video and screen-sharing capabilities as well as text messaging...
instant messaging
Instant messaging
Instant Messaging is a form of real-time direct text-based chatting communication in push mode between two or more people using personal computers or other devices, along with shared clients. The user's text is conveyed over a network, such as the Internet...
program as a gzip
Gzip
Gzip is any of several software applications used for file compression and decompression. The term usually refers to the GNU Project's implementation, "gzip" standing for GNU zip. It is based on the DEFLATE algorithm, which is a combination of Lempel-Ziv and Huffman coding...
-compressed tar
Tar (file format)
In computing, tar is both a file format and the name of a program used to handle such files...
file called latestpics.tgz. For the worm to take effect, the user must manually invoke it by opening the tar file and then running the disguised executable within.
The executable is disguised with the standard icon of an image file, and claims to show a preview of Apple's next OS. Once it is run, the virus will attempt to infect the system.
For non-"admin" users, it will prompt for the computer's administrator password in order to gain the privilege to edit the system configuration. It doesn't infect applications on disk, but rather when they are loaded, by using a system facility called "apphook".
Leap only infects Cocoa
Cocoa (API)
Cocoa is Apple's native object-oriented application programming interface for the Mac OS X operating system and—along with the Cocoa Touch extension for gesture recognition and animation—for applications for the iOS operating system, used on Apple devices such as the iPhone, the iPod Touch, and...
applications, and it does not infect applications owned by the system (including the apps that come pre-installed on a new machine), but only apps owned by the user who is currently logged in. Typically, that means apps that the current user has installed by drag-and-drop, rather than by Apple's installer system. When an infected app is launched, Leap tries to infect the four most recently used applications. If those four don't meet the above criteria, then no further infection takes place at that time.
Payload
Once activated, Leap then attempts to spread itself via the user's iChatIChat
iChat is an instant messaging software application developed by Apple Inc. exclusively for its Mac OS X operating system. It has audio, video and screen-sharing capabilities as well as text messaging...
Bonjour buddy list. It does not spread using the main iChat buddy list, nor over XMPP
Extensible Messaging and Presence Protocol
Extensible Messaging and Presence Protocol is an open-standard communications protocol for message-oriented middleware based on XML . The protocol was originally named Jabber, and was developed by the Jabber open-source community in 1999 for near-real-time, extensible instant messaging , presence...
. (By default, iChat does not use Bonjour and thus cannot transmit this virus.)
Leap does not delete data, spy on the system, or take control of it, but it does have one harmful effect: due to a bug in the virus itself, an infected application will not launch. This is helpful in that it prevents people from continuing to launch the infected program unawares.
Protection and recovery
A common methods of protecting against this type of Trojan horseTrojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
is avoiding launching files from untrusted sources. An existing admin account can be "declawed" by unchecking the box "Allow this user to administer this computer." (At least one admin account must remain on the system in order to install software and change vital system settings, even if it is an account created solely for that purpose.)
Recovering after a Leap infection involves deleting the virus files and replacing infected applications with fresh copies. It does not require re-installing the OS, since system-owned applications are immune.