OSX/Ventir [Threat Name] go to Threat

OSX/Ventir.A [Threat Variant Name]

Category trojan
Size 352160 B
Detection created Sep 16, 2014
Detection database version 10426
Aliases TrojanDropper:MacOS_X/Ventir.A (Microsoft)
  MacOS:Ventir-A (Avast)
  OSX/Agent.T.trojan (AVG)
Short description

OSX/Ventir.A installs a backdoor that can be controlled remotely.

Installation

The trojan creates the following folders:

  • %home%/Library/.local
  • %home%/Library/LaunchAgents
  • /Library/.local
  • /Library/LaunchDaemons

The trojan creates the following files:

  • %malwarefolder%/updated
  • %malwarefolder%/update
  • %malwarefolder%/reweb
  • %malwarefolder%/libweb.db

The %malwarefolder% is one of the following strings:

  • %home%/Library/.local
  • /Library/.local

The trojan executes the following commands:

  • chmod +x %malwarefolder%/updated
  • chmod +x %malwarefolder%/update
  • chmod +x %malwarefolder%/reweb
  • chmod -R 777 %malwarefolder%

In order to be executed on every system start, the trojan creates the following file:

  • %plistfolder%/com.updated.launchagent.plist

The %plistfolder% is one of the following strings:

  • %home%/Library/LaunchAgents
  • /Library/LaunchDaemons

The trojan may create the following files:

  • %malwarefolder%/EventMonitor
  • %malwarefolder%/kext.tar

The trojan may execute the following commands:

  • chmod +x %malwarefolder%/EventMonitor
  • tar -xf %malwarefolder%/kext.tar -C %LocalDir%/
  • /bin/mv -f %malwarefolder%/updated.kext /System/Library/Extensions/updated.kext
  • /bin/chmod -R 755 /System/Library/Extensions/updated.kext.tensions/updated.kext
  • /bin/chown -R root:wheel /System/Library/Extensions/updated.kext
  • /sbin/kextload /System/Library/Extensions/updated.kext

The trojan executes the following command:

  • %malwarefolder%/reweb &

The trojan may execute the following commands:

  • %malwarefolder%/updated
  • %malwarefolder%/update
  • %cwd%/EventMonitor &
  • killall -9 reweb
  • killall -9 updated
  • killall -9 update

After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) IP addresses. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • uninstall itself
  • shut down/restart the computer
  • upload files to a remote computer
  • execute shell commands
  • log keystrokes
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.