1. Computing

Leap.A aka Oompa-Loompa virus

By

IMPORTANT NOTE: The Leap.A worm has no similarities and is not related to March 2007 reports of the oompa loompa song repeatedly playing on Windows PCs. For details and a fix of the Oompa Loompa song on startup problem, see the "Oompa Loompa Song on Startup" entry. The following description is of the MacOSX Leap.A worm:

Name
Leap.A, aka Oompa-Loompa Virus

Also known as:

Oompa-Loompa, OSX/Oomp-A, Leap.A, CME-4, MacOS/Leap, MacOS/Leap!tgz, OSX.Leap.A, OSX/Leap

Type:

iChat worm and Mac OS X 10.4 virus

Affects:

Mac OS X 10.4 (Tiger) running on PowerPC processors

Discovered:

February 14, 2006

Description:

The Leap.A (aka Oompa-Loompa) infects applications in Mac OS X 10.4 (Tiger) running on PowerPC processors. Upon infection, Leap.A (aka Oompa-Loompa) sends itself to the infected user's contacts via iChat.
The sent attachment is named latestpics.tgz. The extracted latestpics.tgz file contains latestpics, which appears to have a .jpg icon. In reality, the icon is being faked by a second, hidden file, named _latestpics.

Impact of Infection:

Leap.A installs itself differently depending on the rights of the logged in user. If the user is logged in as an administrator, Leap.A installs itself to the /Library/InputManagers/ directory.

If the user is not logged in as admin and does not have root permissions, the Leap.A virus will install to the ~/Library/InputManagers/ directory.

In either case, the files installed/replaced are:

apphook/Info
apphook/apphook.bundle/Contents/Info.plist
apphook/apphook.bundle/Contents/MacOS/apphook

The Leap.A worm has also been dubbed Oompa-Loompa because it assigns the following extended attribute to application files it infects:

name: oompa
value: loompa

  1. About.com
  2. Computing
  3. Antivirus Software

©2014 About.com. All rights reserved.