- Jamf Nation Community
- Products
- Jamf Pro
- Re: Kaspersky Flashback Removal Applescript
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Kaspersky Flashback Removal Applescript
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-10-2012 08:26 PM
Kaspersky didn't lock/compile/whatever the AppleScript inside their removal app.
http://support.kaspersky.com/downloads/utils/flashfake_removal_tool.zip
set infectionFound to false
set trojan to do shell script "/bin/launchctl export | /usr/bin/sed -n 's/DYLD_INSERT_LIBRARIES="\(.*\)";.*/\1/p'"
do shell script "/bin/launchctl unsetenv DYLD_INSERT_LIBRARIES"
do shell script "/bin/launchctl unsetenv DYLD_INSERT_LIBRARIES" with administrator privileges
on CleanPlists(libPath, subfolder)
set ifnd to false
tell application "System Events"
set libraryPath to libPath
set launchagents to libraryPath & subfolder
try
set plists to name of every disk item of alias launchagents
repeat with launchagent in plists
try
set plist to POSIX path of file launchagent of alias launchagents
set plistname to name of file plist
tell property list file plist
tell contents
try
set programArguments to value of property list item "ProgramArguments"
on error
set programArguments to ""
end try
try
set program to value of property list item "Program"
on error
set program to ""
end try
end tell
end tell
if program is equal to "" and programArguments is not equal to "" then
set program to item 1 of programArguments
end if
if program is not equal to "" then
try
set programName to do shell script "basename "" & program & """
on error
set programName to program
end try
if programName starts with "." then
set ifnd to true
tell me
try
do shell script "/bin/launchctl unload " & plist
end try
try
do shell script "/bin/launchctl unload " & plist with administrator privileges
end try
try
do shell script "/bin/rm -f " & plist with administrator privileges
end try
try
do shell script "/bin/rm -f " & program with administrator privileges
end try
end tell
end if
end if
end try
end repeat
end try
end tell
return ifnd
end CleanPlists
set infectionFound to (CleanPlists((path to library folder from user domain) as string, "LaunchAgents") or infectionFound)
set infectionFound to (CleanPlists((path to library folder from local domain) as string, "LaunchDaemons") or infectionFound)
set infectionFound to (CleanPlists((path to library folder from local domain) as string, "LaunchAgents") or infectionFound)
-- set infectionFound to ( CleanPlists((path to library folder from system domain) as string, "LaunchDaemons") or infectionFound)
-- set infectionFound to ( CleanPlists((path to library folder from system domain) as string, "LaunchAgents") or infectionFound)
do shell script "/bin/rm -f $(find /Applications/Safari.app/Contents/Resources -name ".*")" with administrator privileges
set libraryPath to (path to library folder from user domain) as string
set libraryPathPath to POSIX path of file libraryPath
do shell script "/bin/rm -f "$(find "" & libraryPathPath & "Application Support" -name ".*.tmp")"" with administrator privileges
do shell script "/bin/rm -f $(find /Users/Shared -name ".*")" with administrator privileges
try
do shell script "test -f "/Applications/Safari.app/Contents/Info.plist" && /usr/libexec/PlistBuddy -c "Print :LSEnvironment:DYLD_INSERT_LIBRARIES" "/Applications/Safari.app/Contents/Info.plist" 2>&1 | grep -vq "Does Not Exist""
do shell script "/usr/libexec/PlistBuddy -c "Delete :LSEnvironment:DYLD_INSERT_LIBRARIES" "/Applications/Safari.app/Contents/Info.plist"" with administrator privileges
set infectionFound to true
end try
try
do shell script "test -f "/Applications/Firefox.app/Contents/Info.plist" && /usr/libexec/PlistBuddy -c "Print :LSEnvironment:DYLD_INSERT_LIBRARIES" "/Applications/Firefox.app/Contents/Info.plist" 2>&1 | grep -vq "Does Not Exist""
do shell script "/usr/libexec/PlistBuddy -c "Delete :LSEnvironment:DYLD_INSERT_LIBRARIES" "/Applications/Firefox.app/Contents/Info.plist"" with administrator privileges
set infectionFound to true
end try
try
do shell script "test -f "/Applications/Google Chrome.app/Contents/Info.plist" && /usr/libexec/PlistBuddy -c "Print :LSEnvironment:DYLD_INSERT_LIBRARIES" "/Applications/Google Chrome.app/Contents/Info.plist" 2>&1 | grep -vq "Does Not Exist""
do shell script "/usr/libexec/PlistBuddy -c "Delete :LSEnvironment:DYLD_INSERT_LIBRARIES" "/Applications/Google Chrome.app/Contents/Info.plist"" with administrator privileges
set infectionFound to true
end try
try
set envPlistPath to do shell script "/usr/bin/find ~/.MacOSX/environment.plist -print 2> /dev/null"
if envPlistPath is not equal to "" then
do shell script "/usr/libexec/PlistBuddy -c "Delete :DYLD_INSERT_LIBRARIES" " & envPlistPath with administrator privileges
do shell script "/bin/rm " & trojan with administrator privileges
set infectionFound to true
end if
end try
try
set launchdConf to do shell script "/usr/bin/find /etc/launchd.conf -exec /usr/bin/grep -q DYLD_INSERT_LIBRARIES {} \; -print 2> /dev/null"
if launchdConf is not equal to "" then
set infectionFound to true
do shell script "/bin/rm /etc/launchd.conf" with administrator privileges
do shell script "/bin/rm " & trojan with administrator privileges
end if
end try
if infectionFound then
return "Infected files have been found and removed. Please reboot this machine."
else
return "No infection has been detected."
end if
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-11-2012 08:06 AM
Apple is working on a tool...hot off the press:
http://support.apple.com/kb/HT5244
Don
--
https://donmontalvo.com
https://donmontalvo.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-12-2012 01:56 PM
RUN SOFTWARE UPDATE
https://support.apple.com/kb/HT5242
