OSX/Sabpab [Threat Name] go to Threat

OSX/Sabpab.A [Threat Variant Name]

Category trojan
Size 42580 B
Detection created Apr 16, 2012
Detection database version 7059
Aliases Backdoor.OSX.SabPub.a (Kaspersky)
  OSX/FlashFake.g (McAfee)
  OSX.Sabpab (Symantec)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • /Users/%username%/Library/Preferences/com.apple.PubSabAgent.pfile

In order to be executed on every system start, the trojan creates the following file:

  • /Users/%username%/Library/LaunchAgents/com.apple.PubSabAgent.plist
Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains an URL address. The HTTP protocol is used.

It can execute the following operations:

  • send the list of files on specific drive to a remote computer
  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • run executable files
  • capture screenshots

Please enable Javascript to ensure correct displaying of this content and refresh this page.