MacOS/Leap.A

MacOS/Leap.A is an iChat worm that impacts Mac OS X v10.4 (Tiger) running on PowerPC processors. The Leap.A worm intercepts processes as they load. When the iChat process is loaded, MacOS/Leap.A sends an attachment named latestpics.tgz to contacts listed in the iChat client. Latestpics.tgz contains two files - latestpics, which appears to have a .jpg icon, and a second, hidden file named _latestpics which is responsible for rendering the false .jpg icon. In order to become infected, the recipient must first extract the contents of latestpics.tgz file and then run the extracted latestpics file.

 

Leap.A installs itself differently depending on the rights of the logged in user. If the user is logged in as an administrator, Leap.A installs itself to the /Library/InputManagers/ directory.
If the user is not logged in as admin and does not have root permissions, the Leap.A virus will install to the ~/Library/InputManagers/ directory.

 

In either case, the following folders are replaced and populated with the following files:

 

apphook/Info
apphook/apphook.bundle/Contents/Info.plist
apphook/apphook.bundle/Contents/MacOS/apphook

 

MacOS/Leap.A infects recently used applications that do not require root permissions, assigning the following extended attribute to application files it infects:

 

name: oompa
value: loompa

 

These attribute have resulted in the worm being nicknamed "Ommpa Loompa". The affected files are corrupted as a result of the infection.