Anti Flashback Trojan
Your rating: Now say why...

(2) 5

Checks for the Flashback Trojan.   Free
Add to my Watch List
Email me when discounted
Anti Flashback Trojan is a free application that checks for the Flashback Trojan.

Flashback is a variant of the Tsunami Trojan for Mac OS X, and has so far infected over 600, 000 of them. Now you can check whether your Mac is infected with the Flashback-Trojan without resorting to manual removal in Terminal. For more information what Flashback does, including manual removal instructions, see the F-Secure website.

Incidentally, all my apps are free, so any donation would be very much appreciated.
What's New
Version 2.1.1:
  • Adds a google chrome scan (improved virus search)
  • Adds a download link to the apple flashback remove tool
  • Some minor changes
Requirements
Intel, OS X 10.5 or later



MacUpdate - Anti Flashback Trojan



Anti Flashback Tro... User Discussion (Write a Review)
ver. 2.x:
(2)
Your rating: Now say why...
Overall:
(8)

sort: smiles | time
burypromote
+2

+1
Schmye-Bubbula commented on 25 Apr 2012
I can't glean from the description or from the publisher's website whether this thing will actually remove the malware, or only check for it.
[Version 2.0.4]

1 Reply

burypromote
+1

+45
Dalahast replied on 10 Jan 2013
The release notes for the latest update include adding a download link to the removal tool, so presumably it only checks. If you're infected, it'll let you know where to go to remove it.
burypromote
+2

+376
B. Jefferson Le Blanc commented on 22 Apr 2012
This app is viable if for no other reason than it works on OS X 10.5. Apple has stopped supporting OS versions before Snow Leopard so there's no Java update for Leopard users. They might appreciate a tool that can check their systems for infection. Indeed, so might Tiger users. That said, they would all be well advised in the now riskier climate for Mac security to install an app like ClamXav that still supports older Macs.
[Version 2.0.3]

1 Reply

burypromote

+657
Cowicide replied on 10 Jan 2013
Beware of relying solely on ClamXav, though. I've tested more than a few trojans with it and it didn't detect them. ClamXav is great, but I never rely on it alone.
burypromote
+3

+237
Jazzica commented on 22 Apr 2012
I was using Dreamweaver on my Mac about 2 weeks ago. A very suspicious window closely resembling but not exactly like the flash installer popped up and said I was running an old version of flash and needed to update it. It directed me to enter my password, not giving me a choice. I refused. I restarted and no more installer.

My flash version was not only up-to-date. It was a an advanced beta version. This has not happened since. I'd steer clear of scripts offering to delete this 'virus' since Mac has put out a very effective Java fix, and since this bug is supposedly very hard to remove. I would NOT click "update" on any flash installer that appears out of nowhere ordering you to install a version not listed on Adobe's web site. If it's not on Adobe's download page, it's fake.
[Version 2.0.3]


burypromote
+1

-72
LizBo commented on 16 Apr 2012
I have serious doubts about the credibility of the people claiming this trojan infected 600,000 Mac computers. I think the numbers are a outright lie and exaggerated to scare people into buying AV software. I was not infected, none of my friends or family were infected. And none of the 10,000+ worldwide clients the company I work for had a single reported infection.
[Version 2.0.2]

1 Reply

burypromote
-1

-338
Acuraice replied on 22 Apr 2012
why not?? my imac was found to be infected!! so im am definitely one of the 600,000, probably more!! not sure how it happened but apple's java update said it was infected and removed it. heard online that a fake adooe flash installer was the culprit, though i always get my flash updates from adobe's site.My imac is very secure with vpns,espionage,file vault,security spy,etc. I secure delete everything,make fresh TM backups faithfully,repair with various tools including diskwarrior 4.4,disk utility,cleanmymac,macscan and virus barrier. All always come out clean except for this flashback infection. Could happen to anyone.
burypromote
+1

+192
Mysticalos commented on 16 Apr 2012
apples tool is out now

http://www.macupdate.com/app/mac/42634/flashback-malware-removal-tool
[Version 2.0.2]

1 Reply

burypromote

+246
RavenNevermore replied on 23 Apr 2012
Note that it's only for Lion users without java installed.
burypromote
-1

+151
Beamy commented on 11 Apr 2012
You may also try the Kaspersky Flashfake Trojan removal tool :

info:
http://www.securelist.com/en/blog/208193454/Flashfake_Removal_Tool_and_online_checking_site

Download:
http://support.kaspersky.com/downloads/utils/flashfake_removal_tool.zip

:)
[Version 1.0.2]

1 Reply

burypromote

+4
Alvarnell replied on 11 Apr 2012
Had two users today get locked out of their accout using Kaspersky's script. They were also using the wrong reference. I left them a couple of notes on this.

F-secure also posted their tool moments ago. Looks promising, but time will tell.

Apple promises us something RSN...
burypromote

+21
Strych9 commented on 11 Apr 2012
Reports need to clean but Fsecure defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES reports nothing...
Thanks a lot anyway for your help.
[Version 1.0.2]


burypromote

+22

Tareed reviewed on 10 Apr 2012
Be cautious of relying on scripts like this one. It is based on instructions for a specific variant from F-Secure, which do not work for all variants. It would be better to rely on some good anti-virus software, like Sophos Anti-Virus for Mac Home Edition or ClamXav, both of which are completely free, with no subscriptions or time limitations. And no, I'm not associated with either product.
[Version 1.0.2]

1 Reply

burypromote
+1

+162
Donmontalvo replied on 11 Apr 2012
Ya, this is one of the reasons the antivirus/malware companies are behind the curve on this one.
burypromote
+2

+4

Alvarnell reviewed on 10 Apr 2012
All references to the F-Secure document for cleaning this malware are out-of-date. The correct one for removing the current variant that has supposedly infected over 600,000 Macs is http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml which has been out for over a week now.
[Version 1.0.2]

1 Reply

burypromote
Moritz Wette (developer) replied on 11 Apr 2012
Fixed and updated in version 2.0! :)
burypromote
+1

+36

Simbasounds reviewed on 09 Apr 2012
This may not be the most sophisticated software, but the developer has responded quickly and provided it for free (so far there's nothing else on MacUpdate - their review process is somewhat quirky.)

I checked the script and it's not a trojan installer as one user suggested.

See for yourself:

--
-- Anti Flashback-Trojan
--
-- Created by Moritz Wette on 06.04.12.
-- Copyright 2012 Moritz Wette. All rights reserved.
--

on scan1()
try
set command to do shell script "defaults read /Applications/Safari.app/Contents/Info LSEnvironment"
--set output to words of (do shell script command)
return true
on error errmsg
if (errmsg contains "does not exist") then return false
end try
end scan1
on scan2()
try
do shell script "defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES "
return true
on error errmsg
if (errmsg contains "does not exist") then return false
end try
end scan2
on scan3()
try
do shell script "defaults read /Applications/Firefox.app/Contents/Info LSEnvironment"
return true
on error errmsg
if (errmsg contains "does not exist") then return false
end try
end scan3
on scan4()
try
do shell script "defaults read /Applications/Google Chrome.app/Contents/Info LSEnvironment"
return true
on error errmsg
if (errmsg contains "does not exist") then return false
end try
end scan4

(*on remove1()
try
do shell script "grep -a -o '__ldpath__[ -~]*' " + scan1_return
on error errmsg
display dialog errmsg
end try
try
do shell script "sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment"
on error errmsg
display dialog errmsg
end try
try
do shell script "sudo chmod 644 /Applications/Safari.app/Contents/Info.plist"
on error errmsg
display dialog errmsg
end try
end remove1*)
(*on remove2()
try
do shell script "grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%"
on error errmsg
display dialog errmsg
end try
try
do shell script "defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES"
on error errmsg
display dialog errmsg
end try
try
do shell script "launchctl unsetenv DYLD_INSERT_LIBRARIES"
on error errmsg
display dialog errmsg
end try
end remove2*)

on run
set f to 0
scan1()
if (scan1() = true) then set f to f + 1
scan2()
if (scan2() = true) then set f to f + 1
scan3()
if (scan1() = true) then set f to f + 1
scan4()
if (scan2() = true) then set f to f + 1

if (f > 0) then
set temp to display dialog "Your computer is infected!" with icon 0 buttons {"Okay"}
if (button returned of result = "Remove The Flashback-Trojan") then
--if (scan1() = true) then remove1()
--if (scan2() = true) then remove2()
--display dialog "Your computer should be clean now!"
--open location "http://www.moritzwette.com/donate"
end if
else
display dialog "Your computer may be clean!"
open location "http://www.moritzwette.com/donate"
end if

end run
[Version 1.0.1]

4 Replies

burypromote
+1
Moritz Wette (developer) replied on 09 Apr 2012
Yes the script check whether your infected or not. I excluded ((**) and --) all the remove operations because the function is disabled at the moment. I need a infected computer where I can create a useful applescript automation basing the steps at http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml!
burypromote
+2

+36
Simbasounds replied on 09 Apr 2012
Thanks Moritz :) i just posted that there so people could see that your software isn't a Flashback installer. I'm surprised there aren't more developers issuing remove tools for this trojan - it just seems to be you. Well done, and thanks. I'm busy compiling a kit with instructions for checking and then securing non-infected systems. I'll post a link here when it's ready in the next hour hopefully.
burypromote

+87
WordWeaver replied on 09 Apr 2012
In looking at the actual contents of this script, I think that it is important to point out that this script may only work IF you have your web browser set to its default name. In other words, for example, if you are using Safari, and your web browser's file name is Safari.app -- it doesn't matter if the extension is invisible or not, I believe -- the script will work. However, if you are in the habit of adding version numbers to your apps -- such as Safari 5.1.5.app -- I suspect that the script may throw an error, or simply not work at all. Please note that I have not used this script, being as I already followed the manual route a few days ago, so I am just going by what I see in the script's actual code. Perhaps someone else can verify -- or refute -- what I have stated here.
burypromote
-1
Moritz Wette (developer) replied on 10 Apr 2012
@WordWeaver Thanks for the information! This might be a good idea. I will check it in the next days and fix it if it's possible.
burypromote

+3
AsSpants had trouble on 10 Jan 2013
The operation couldn't be completed. (OSStatus error -67049)
[Version 2.1]


burypromote

+28
Imho had trouble on 10 Jan 2013
Downloaded the new version. Tried to open it, but it gave me twice an error message ...
[Version 2.1]



-5

Voc999 rated on 18 Apr 2012

[Version 2.0.2]



+9

Christa_1980 rated on 17 Apr 2012

[Version 2.0.2]



+1

Jason T. rated on 11 Apr 2012

[Version 2.0]



+35

DirkTheMenace rated on 08 Apr 2012

[Version 1.0.1]



+13

Pacmanen rated on 08 Apr 2012

[Version 1.0]


Downloads:20,925
Version Downloads:5,011
Type:Utilities : Virus
License:Free
Date:10 Jan 2013
Platform:Intel 64 / Intel 32 / OS X
Price:Free0.00
Overall (Version 2.x):
Features:
Ease of Use:
Value:
Stability:
Displaying 1-10 of 17
1 2 >
Displaying 1-2 of 2
Displaying 1-5 of 5
-
-
-
Please login or create a new
MacUpdate Member account
to use this feature
Watch Lists are available to
MacUpdate Desktop Members
Upgrade Now
Install with MacUpdate Desktop.
Save time moving files & cleaning
up space wasting archives.
Anti Flashback Trojan is a free application that checks for the Flashback Trojan.

Flashback is a variant of the Tsunami Trojan for Mac OS X, and has so far infected over 600, 000 of them. Now you can check whether your Mac is infected with the Flashback-Trojan without resorting to manual removal in Terminal. For more information what Flashback does, including manual removal instructions, see the F-Secure website.

Incidentally, all my apps are free, so any donation would be very much appreciated.


- -