IMPORTANT NOTE: The Leap.A worm has no similarities and is not related to March 2007 reports of the oompa loompa song repeatedly playing on Windows PCs. For details and a fix of the Oompa Loompa song on startup problem, see the "Oompa Loompa Song on Startup" entry. The following description is of the MacOSX Leap.A worm:
Name
Leap.A, aka Oompa-Loompa Virus
Also known as: Oompa-Loompa, OSX/Oomp-A, Leap.A, CME-4, MacOS/Leap, MacOS/Leap!tgz, OSX.Leap.A, OSX/Leap
Type: iChat worm and Mac OS X 10.4 virus
Affects: Mac OS X 10.4 (Tiger) running on PowerPC processors
Discovered: February 14, 2006
Description: The Leap.A (aka Oompa-Loompa) infects applications in Mac OS X 10.4 (Tiger) running on PowerPC processors. Upon infection, Leap.A (aka Oompa-Loompa) sends itself to the infected user's contacts via iChat.
The sent attachment is named latestpics.tgz. The extracted latestpics.tgz file contains latestpics, which appears to have a .jpg icon. In reality, the icon is being faked by a second, hidden file, named _latestpics.
Impact of Infection: Leap.A installs itself differently depending on the rights of the logged in user. If the user is logged in as an administrator, Leap.A installs itself to the /Library/InputManagers/ directory.
If the user is not logged in as admin and does not have root permissions, the Leap.A virus will install to the ~/Library/InputManagers/ directory.
In either case, the files installed/replaced are:
apphook/Info
apphook/apphook.bundle/Contents/Info.plist
apphook/apphook.bundle/Contents/MacOS/apphook
The Leap.A worm has also been dubbed Oompa-Loompa because it assigns the following extended attribute to application files it infects:
name: oompa
value: loompa
