Help - I have a Mac Java Worm

signofthetimes · Dec 21, 2014

I upgraded to Yosemite, and suddenly I ran into a ton of problems. The worst problem is that I now have a Java worm. I constantly get a pop-up, even as soon as I start my computer, that says, "To view this web content, you need to install the Java Runtime Environment. Click "More Info..." to visit the website for the Java Runtime Environment." (And then there are two buttons, "More Info..." and "OK," which is always highlighted in black.

I have run Avast twice (it takes about 3-1/2 hours to scan the entire machine). It finds the worm in two places:
/Library/Application Support/JavaW
and
/Library/LaunchDaemons/com.JavaW.plist

The "infection details" are:
MacOS:IWorm-B [Cryp]
and
MacOSIWorm-F [Trj]

respectively.

I've deleted them twice via Avast, but then when I re-run the test, it still finds them, not to mention I'm still getting the pop-ups.

S.B.G · Dec 21, 2014

Have you looked in your Login Items in System Preferences under Users & Groups for anything that shouldn't be there?

McGiord · Dec 21, 2014

Have you installed all the Apple software updates ?

Use activity monitor to see what things are running.

Get the latest Java version from the oracle website.

Ensure that in System Preferences in the security and privacy one you have they right settings to run only things that are from certified developers and also that the firewall is enabled.

chrfr · Dec 21, 2014

McGiord said:
Have you installed all the Apple software updates ?

Use activity monitor to see what things are running.

Get the latest Java version from the oracle website.

No, there is no need to install Java. This is the iWorm malware. OS X has been blocking it for some time now but perhaps there's a new variation.
http://www.intego.com/mac-security-blog/iworm-botnet-uses-reddit-as-command-and-control-center/

----------

signofthetimes said:
I have run Avast twice (it takes about 3-1/2 hours to scan the entire machine). It finds the worm in two places:
/Library/Application Support/JavaW
and
/Library/LaunchDaemons/com.JavaW.plist

Start up in Safe Boot mode by holding down the shift key as the computer restarts. Then, once the computer is running, open those folders and manually delete the files mentioned.
Also, be certain you're running OS X 10.10.1 and have installed any other updates you find.
This malware is typically distributed through pirated software, so if you're using any applications which you got illegally, they will likely reinfect your computer.

signofthetimes · Dec 21, 2014

chrfr said:
No, there is no need to install Java. This is the iWorm malware. OS X has been blocking it for some time now but perhaps there's a new variation.
http://www.intego.com/mac-security-blog/iworm-botnet-uses-reddit-as-command-and-control-center/

Yes, that is exactly the worm I have! Except I don't use reddit.

I do have 10.10.1. I just put Yosemite on my computer 2 days ago so that's the first version I've got. Yes the firewall is on. No, there are no users added to my computer that I can see.

I deleted those files, so I don't see them anymore, but my computer is still infected. I will try the safe-boot thing once Avast is done with its latest round. It's nearly done, and it hasn't found the files I deleted, so that's good. On the other hand my computer is still infected, so that's bad. For example, I can't open Photoshop without getting the pop-up telling me I need to download Java to open it. Lies!

The only pirated software I have that I can think of is Word. I got it from someone a few months ago. I haven't had any problems until I upgraded to Yosemite, though, so I'm not sure that's it. I could delete Word and see if that helps.

chrfr · Dec 21, 2014

signofthetimes said:
For example, I can't open Photoshop without getting the pop-up telling me I need to download Java to open it.

That's not malware; earlier versions of Photoshop insist on installing Java.
http://helpx.adobe.com/x-productkb/global/install-java-jre-mac-os.html
If you removed those files without using safe boot, they may replicate and reinstall themselves. I'm not certain of the mechanism at work there.
iWorm has been around for several months so it could very well be that copy of Word that's your source.
As for Reddit, the malware uses it (or tries to) on its own.

signofthetimes · Dec 21, 2014

chrfr said:
That's not malware; earlier versions of Photoshop insist on installing Java.
http://helpx.adobe.com/x-productkb/global/install-java-jre-mac-os.html
If you removed those files without using safe boot, they may replicate and reinstall themselves. I'm not certain of the mechanism at work there.
iWorm has been around for several months so it could very well be that copy of Word that's your source.
As for Reddit, the malware uses it (or tries to) on its own.

These are definitely not legit pop-ups. I wonder how I find the files, then, if I've already deleted them and don't see them in those folders anymore? I can try opening in Safe Boot later tonight and see if they appear there. What a drag. I have an appt. at the Apple Store for tomorrow night (they were booked solid today) so I'll keep everyone posted.

The Photoshop message looks just like the virus one. It says:
To open "Adobe Photoshop CS5.1" you need to install the legacy Java SE 6 runtime. Click "More Info..." to visit the legacy Java SE 6 download website."

reese2147 · Dec 21, 2014

signofthetimes said:
I upgraded to Yosemite, and suddenly I ran into a ton of problems. The worst problem is that I now have a Java worm. I constantly get a pop-up, even as soon as I start my computer, that says, "To view this web content, you need to install the Java Runtime Environment. Click "More Info..." to visit the website for the Java Runtime Environment." (And then there are two buttons, "More Info..." and "OK," which is always highlighted in black.

I have run Avast twice (it takes about 3-1/2 hours to scan the entire machine). It finds the worm in two places:
/Library/Application Support/JavaW
and
/Library/LaunchDaemons/com.JavaW.plist

The "infection details" are:
MacOS:IWorm-B [Cryp]
and
MacOSIWorm-F [Trj]

respectively.

I've deleted them twice via Avast, but then when I re-run the test, it still finds them, not to mention I'm still getting the pop-ups.

I also get the ""To view this web content, you need to install the Java Runtime Environment. Click "More Info..." message when I startup my iMac, but a virus scan with AVG does not show any threats. Furthermore, I do not have

/Library/Application Support/JavaW
or
/Library/LaunchDaemons/com.JavaW.plist

as an infected location. Any ideas?

Razer(x) · Dec 21, 2014

Just use Clamxav and delete infected files

chrfr · Dec 21, 2014

signofthetimes said:
The Photoshop message looks just like the virus one. It says:
To open "Adobe Photoshop CS5.1" you need to install the legacy Java SE 6 runtime. Click "More Info..." to visit the legacy Java SE 6 download website."

That's the standard OS X notification that you need to install Java. Photoshop CS5.1 will not run unless Java is installed.

simonsi · Dec 21, 2014

signofthetimes said:
These are definitely not legit pop-ups. I wonder how I find the files, then, if I've already deleted them and don't see them in those folders anymore? I can try opening in Safe Boot later tonight and see if they appear there. What a drag. I have an appt. at the Apple Store for tomorrow night (they were booked solid today) so I'll keep everyone posted.

The Photoshop message looks just like the virus one. It says:
To open "Adobe Photoshop CS5.1" you need to install the legacy Java SE 6 runtime. Click "More Info..." to visit the legacy Java SE 6 download website."

Get rid of the bootleg copy of Word and its installer file.

You have two things going on. You have Photoshop correctly asking for JRE, that is normal behaviour for that software.

You have a worm faking the same (but will likely install something else).

Of course the worm pop-ups look like the real thing, most people aren't in a position to have them side-by-side but pretty sensible for the worm to fake a genuine message to add to its credibility.

Artimus12 · Dec 21, 2014

razer(x) said:
just use clamxav and delete infected files

+1

fisherking · Dec 21, 2014

chrfr said:
That's the standard OS X notification that you need to install Java. Photoshop CS5.1 will not run unless Java is installed.

that's how i remember it as well...and dreamweaver in CS6 also requires java.

signofthetimes · Dec 21, 2014

Artimus12 said:
+1

I tried ClamXav but it did not find anything.

----------

simonsi said:
Get rid of the bootleg copy of Word and its installer file.

You have two things going on. You have Photoshop correctly asking for JRE, that is normal behaviour for that software.

You have a worm faking the same (but will likely install something else).

Of course the worm pop-ups look like the real thing, most people aren't in a position to have them side-by-side but pretty sensible for the worm to fake a genuine message to add to its credibility.

I tried to download Java--the real thing--but I can't. It just stalls out.

chrfr · Dec 21, 2014

signofthetimes said:
I tried ClamXav but it did not find anything.

Then you should be fine, and the malware should be gone. iWorm does not prompt to install Java, nor does it depend on Java to run, in spite of the name of the files involved.

signofthetimes said:
I tried to download Java--the real thing--but I can't. It just stalls out.

Is this the one you're trying to download?
http://support.apple.com/kb/DL1572

signofthetimes · Dec 21, 2014

So I went through all these steps to remove my bootleg Microsoft Office copy, since that's the only thing I can think of that might've brought in the virus: http://support.microsoft.com/kb/2398768

I DID find these two suspicious files in the "Receipts" folder:
com..JavaW.bom
and
com..JavaW.plist

I am still getting the pop-up when I start my computer. As soon as I get to my desktop, I get the pop-up telling me I need to download Java to view the web content, yet all I've done is start my computer. I'm not trying to view any web content. It also auto-opens Chrome.

----------

chrfr said:
Is this the one you're trying to download?
http://support.apple.com/kb/DL1572

Yes but I tried getting it from the Java website, not the Apple website. I just tried yours but I get the same problem: it stalls out at 63.7/63.8 MB and cannot progress any further with the download. It just never moves ahead.

chrfr · Dec 21, 2014

signofthetimes said:
I DID find these two suspicious files in the "Receipts" folder:
com..JavaW.bom
and
com..JavaW.plist

Those are just leftovers from the installer. If you sort that folder by date, what other receipts do you see with roughly the same time stamps?

signofthetimes said:
I am still getting the pop-up when I start my computer. As soon as I get to my desktop, I get the pop-up telling me I need to download Java to view the web content, yet all I've done is start my computer. I'm not trying to view any web content. It also auto-opens Chrome.

Java isn't necessarily related to web content. What do you have in your login items?

signofthetimes said:
Yes but I tried getting it from the Java website, not the Apple website. I just tried yours but I get the same problem: it stalls out at 63.7/63.8 MB and cannot progress any further with the download. It just never moves ahead.

Have you tried more than one browser?

signofthetimes · Dec 22, 2014

post apple-store update

So I brought my MacBook Pro to the Apple store tonight. The gentleman at the genius bar spent more than an hour and a half looking at it. He said he doubted it had a virus and said he didn't see any suspicious files. (I had already deleted the ones mentioned in the article.) He couldn't explain why (1) I was constantly getting Java pop-ups and (2) I could not download Java without it stalling.

He ended up downloading an old version of Java onto a thumb drive from another machine and then put that onto my machine. It seems to have solved my problems for now. He did run some sort of diagnostic test, and he said there were some software abnormalities (files out of place), and he suggested I erase my computer and re-install from scratch. I may to that in the near future.

As of now, the only immediate problem I am still having is that I haven't been able to get onto the websites owned by the company I work for since my Yosemite upgrade. I have had zero problems with any other websites...just the ones I NEED to access. I thought maybe after these Apple store fixes, everything would resolve, but it hasn't. I did clear my cache, but to no avail. No one else is having any troubles w/ our websites. The IT folks at my company even sent signals all around the globe--or whatever they do to test to see if their websites are working--and everything is up and running just fine. It's just me who has the problem.

When I have more free time, I am going to back up what I want to keep and wipe clean my computer. I think that may be the solution.

Oh, and on another note, the person who helped me said he's been working there for 3 years and has never seen this problem before (w/ the Java pop-ups), and also he checked the Apple database (whatever they use to look up problems) and said Apple Official has no record of this Java bug.

chrfr · Dec 23, 2014

signofthetimes said:
Oh, and on another note, the person who helped me said he's been working there for 3 years and has never seen this problem before (w/ the Java pop-ups), and also he checked the Apple database (whatever they use to look up problems) and said Apple Official has no record of this Java bug.

I'm not sure what to tell you there. It's not a bug, per se, that Adobe requires Java. I manage a lot of Macs, all with Adobe CS, and the Java prompt was the norm through CS6 if I hadn't already installed Apple's Java.
For your other issues, try making a new user account and then do whatever you need to do with the internet as a test.

signofthetimes · Dec 23, 2014

The person at the Mac store did create a test user account, but it had the same problems. Since he's installed the old Java via the thumb drive, I haven't had the pop-ups anymore. So problem temporarily fixed. It seems suspicious to me that I was getting Java pop-ups and I had those worm-y files that the article mentioned, but I suppose it's possible they weren't related problems.

The Photoshop Java pop-up was just coming up when I tried to open PS(5.1), but the original "you need bla bla bla to view this web content" was popping up as soon as my computer finished starting up. It would auto-launch Chrome, even though Chrome shouldn't auto-launch. After he put the legacy Java onto my Mac, then I wasn't getting the pop-ups anymore, Chrome stopped auto-opening, and I was able to download things like Java (which I could not do before...it would stall out 0.1MB from the finish).

rhett7660 · Dec 23, 2014

java is needed for photoshop...... Here is some info from Adobe: (don't know if you just have PS or the suite..

http://helpx.adobe.com/x-productkb/global/install-java-jre-mac-os.html
http://helpx.adobe.com/dreamweaver/kb/dreamweaver-java-se-6-runtime.html
http://helpx.adobe.com/illustrator/kb/illustrator-crashes-mac-os-108x.html

A forum post about a java issue with yosemite

http://feedback.photoshop.com/photoshop_family/topics/photoshop-cs5-not-working-in-yosemite

A few websites that talk about it:
http://www.pcadvisor.co.uk/how-to/apple/3475218/open-adobe-cs-photoshop-indesign-in-os-x-mavericks/

gsahli · Dec 24, 2014

In case you're still having the problem, look at this:
http://www.macissues.com/2014/10/02/new-iworm-botnet-discovered-affecting-os-x-systems/

Help - I have a Mac Java Worm

macrumors newbie

Moderator

macrumors 601

macrumors G5

macrumors newbie

macrumors G5

macrumors newbie

macrumors regular

macrumors regular

macrumors G5

Contributor

macrumors 6502a

macrumors G4

macrumors newbie

macrumors G5

macrumors newbie

macrumors G5

macrumors newbie

macrumors G5

macrumors newbie

macrumors G5

macrumors 6502a

Our Staff