15 years ago, Many Mac users had a free virus program called Disinfectant installed inside their system folders. It was one of the first programs that I downloaded with a dial-up modem back in November, 1992. Disinfectant was developed by a Northwestern University professor. These day, ‘free anti-virus software’ sends a totally different message. Free is a word that cyber criminals widely use to lure naive Internet users, right? If you are a Windows OS user, would you like to try executing a file titled AntiMalwareGuard_Free.exe that is distributed at http://antimalwareguard.com? (See Screenshot 01.) The website says the file is free. (See Screenshot 02.) Even the file name implies it’s free. And if I use Sophos Anti-Virus to scan this file… Ahh… The file contains malicious codes driven by a Trojan Horse derivative. (See Screenshot 03.) Not surprisingly, you will get something undesirable in the name of getting freeware or saving money.
Screenshot 01 |
Screenshot 02 |
Screenshot 03 |
How about ClamXav? According to its website (http:// www.clamxav.com),
ClamXav is a free virus checker for Mac OS X. It uses the tried, tested and very popular ClamAV open source antivirus engine as a back end.
We don’t believe this freeware title contains malicious codes like AntiMalwareGuard. In fact, we just want to find out how good ClamXav is. So let’s see what ClamAV does for Mac users.
Screenshot 04 |
Screenshot 05 |
Screenshot 06 |
First, let me install ClamXav on my iMac. I’m going to drag and drop the application file found inside the downloaded disk image into the Applications folder, ironically just below the folder containing Norton AntiVirus. (See Screenshot 04.) If I launch ClamXav for the first time, a window will pop up. It says that the Clam Anti-virus engine has to be installed. (See Screenshot 05.) Then I’m prompted to enter system administrator’s password. (See Screenshot 06.) Okay, that’s no problem. But wait a second. How do I remove it if I decide that I no longer need ClamXav? According to software developer’s FAQ page, I need to download Engine Remover. (See Screenshot 07.) Furthermore, f I double-click on the file titled clamavEngineREMOVER.command, the Terminal launches itself, and it looks like removal will be performed after entering system administrator’s password. (See Screenshot 08.)
Screenshot 07 – Source: clamxav.com |
Screenshot 08 |
Screenshot 09 |
All right. What I want to do next is to scan a file containing malicious codes with ClamXav. Hmm… Where can I possibly get one? Ahh… How about AntiMalwareGuard_Free.exe? Hold on. Let me click on Update virus definitions to render ClamXav up-to-date. (See Screenshot 09.) Then I’m going to click on Choose what to scan… to designate the virus-containing file. (See Screenshot 10.) And if I click on open… ClamXav says no infected files were found. (See Screenshot 11.) Ohh… Scanning a Windows file with Mac anti-virus software is not a good idea, is it? Silly me.
Screenshot 10 |
Screenshot 11 |
Screenshot 12 |
So I should scan a Mac file with ClamXav. I’m going to stop playing dumb. We know a ton of websites distributing files that contain Mac-targeting computer viruses. About 7 weeks ago, we introduced several websites with Chinese top-level domains at our SEO/Internet security website. One of the domains mentioned in our report of July 10 is mnhor8.cn. If I access this domain, I will be forced to download a file titled wotcodec.v.4.221.dmg against my will. (See Screenshot 12.) This file is hosted by a notorious California-based company called Cernel, Inc. Anyway, if I open the disk image, I find a file titled install.pkg. (See Screenshot 13.)
Screenshot 13 |
Screenshot 14 |
Screenshot 15 |
Let me scan install.pkg with the Mac version of Norton AntiVirus quickly. After launch the anti-virus software program, I’m going to click on Choose Files and choose install.pkg. (See Screenshot 14.) And Norton AntiVirus says the file contains OSX.RSPlug.A. (See Screenshot 15.)
Okay. Let’s see what ClamXav has to say about this virus-containing file. Once again, I’m going to select install.pkg inside the disk image and then press Open. (See Screenshot 16.) Ohh… ClamXav says no infected files were found. (See Screenshot 17.)
Screenshot 16 |
Screenshot 17 |
Screenshot 18 |
Let’s give ClamXav another try. 2 months ago, we reported at our SEO/Internet security website that a spam message targeting Colonial Bank customers went around. Clicking on the URL in the message sent one to a website distributing a file that contained a collection of Trojan Horse derivatives for Windows OS. (Symantec calls this collection Backdoor.Trojan.) The file was titled ColonialBankECERTv04510.exe. We keep a copy. So let’s scan it with ClamXav. (See Screenshot 18.) It’s a Windows file. So we can’t expect that ClamXav finds anything suspicious. Actually, it says it has found Trojan.Dropper-10268. (See Screenshot 19.) Whoa… Good job!
Screenshot 19 |
Screenshot 20 |
Screenshot 21 |
Okay. One more, one more file! Celebrity Spammers has been circulating a number of spam messages implicating Paris Hilton for the past 10 days or so. They want Internet users to download files titled video_1.exe, video_2.exe, video_3.exe and others. Let’s scan video_1.exe with ClamXav. We know that this file contains malware driven by a Trojan Horse derivative. Anyway, if I scan it… ClamXav says no infected files were found. (See Screenshot 20-1.)
We used ClamXav to scan 4 files that all contains malicious codes. ClamXav did not find anything on a Mac disk image that contains a computer virus. 3 other files that we scanned are intended for Windows OS users. ClamXav successfully found Trojan.Dropper-10268 in one of them. In the end, that’s the only file where ClamXav found malicious codes.
ClamXav is a product of an unknown organization.
Click for |
References:
Celebrity Spammers Circulate More Spam Messages With Paris Hilton to Distribute Malware
Sick of Paris Hilton Spam Messages?
Beware of ENDCODEC.NET with Disk Image Containing Mac-Targeting Computer Virus
Active Scam Website Found Targeting Colonial Bank Customers with Backdoor.Trojan (2)