OSX/HellRTS [Threat Name] go to Threat
OSX/HellRTS.AA [Threat Variant Name]
|Signature database version||5053 (Apr 23, 2010)|
The trojan serves as a backdoor. It can be controlled remotely.
When executed, the trojan copies itself into the %home%/Library/%variable1% folder using the following name:
A string with variable content is used instead of %variable1-2% .
The trojan modifies the following file:
This causes the trojan to be executed on every system start.
The trojan displays the following dialog box:
The goal of the malware is to persuade the user to fill in personal information.
The trojan collects the following information:
- login name
- login password
- data from the clipboard
The trojan attempts to send gathered information to a remote machine.
The HTTP, FTP, SMTP protocol is used.
The trojan acquires data and commands from a remote computer or the Internet.
It can execute the following operations:
- capture screenshots
- send files to a remote computer
- download files from a remote computer and/or the Internet
- various file system operations
- run executable files
- execute shell commands
- shut down/restart the computer
- log off the current user
- send data to the printer
- open a specific URL address
- change the sound volume
- open the CD/DVD drive
- play sound/video
- watch the user's screen content
The trojan opens TCP port 24745 .
The trojan can hide its Dock icon.