OSX/Imuler [Threat Name] go to Threat

OSX/Imuler.A [Threat Variant Name]

Category trojan
Size 98320 B
Detection created Sep 23, 2011
Detection database version 6489
Aliases Backdoor.OSX.Imuler.a (Kaspersky)
  OSX.Imuler (Symantec)
  Backdoor:OSX/Imuler.A (F-Secure)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan is usually a part of other malware.


When executed, the trojan creates the following folder:

  • %home%/Library/LaunchAgents/

The OSX/Imuler.A copies itself there using the following name:

  • checkvir

In order to be executed on every system start, the trojan creates the following file:

  • /users/%home%/library/LaunchAgents/checkvir.plist

The trojan creates the following files:

  • /users/%home%/library/.confback
  • /tmp/launch-0rp.dat
  • /cgi-mac/2wmupload.cgi
  • /tmp/xntaskz.gz
Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs. The HTTP protocol is used.

It can execute the following operations:

  • capture screenshots
  • send files to a remote computer
  • sending various information about the infected computer
  • download files from a remote computer and/or the Internet
  • run executable files
  • extract ZIP archive

Please enable Javascript to ensure correct displaying of this content and refresh this page.