|First of all, this is not a "virus". It is a trojan, and can only |
be installed on your computer by you or someone else
with local/physical/administrative access.
But that is beside the point, because NONE OF YOU HAVE
THIS TROJAN ON YOUR COMPUTER!
This is a FALSE POSITIVE because Symantec's signature for
detecting this tool was too broad! Since the swapfile has
large amounts of dynamically changing data, they're
apparently detecting the same overly-broad binary
snippet they're searching for in your swapfile.
REPEAT: YOU DO NOT HAVE THIS TROJAN IF YOU ARE
GETTING A NOTICE IT'S IN YOUR SWAPFILE.
Underhand is a conventional .app application bundle that
hides itself from the Dock and the normal user-space
running process listings. It can physically be searched for,
and its mode of operation is clear: it will be present in
your Login Items and process listings, and runs from the
user home directory's Library/Preferences folder. Yes,
names can be changed, etc., but it is fundamentally a Mac
OS X application bundle that runs interactively (albeit
invisibly) while a user is logged in. A signature, in the
context of AV detection, or anything else that defines it in
that manner is not present in swap, and that is technically
impossible. Therefore, this is a false positive, and the
detection scheme likely appeared in Symantec's most
recent definition update.
Symantec has CONFIRMED this and has issued new virus
definitions to fix their mistake:
Subject: Re: Hacktool babble
From: Michael Romo <email@example.com>
Date: Wed, 4 May 2005 10:30:09 -0700
We figured out what's happening and are releasing a new
defs file today. I will let you know when it's up!!
Product Manager, Macintosh Symantec Corporation
Interoffice: 6  8347
Also, the recommendation to UNINSTALL your virus
software is very ignorant. It IS possible for malware to
affect the platform, though statistically a lot less likely
than, e.g., Windows. However, if you have NO protection,
you may be caught unprepared when there is a real threat.
REPEAT: No one who has this report about this being in
their swapfile is infected. NO ONE.
Anyone who has any doubts may contact me below.
Apple Distinguished Educator
University of Wisconsin - Madison
Division of Information Technology
Platforms and Operating Systems
1210 W Dayton St Rm B263
Madison, WI 53706-1685