IM-Worm.OSX.Leap or Leap (also known as Oompa) is the first worm for Mac OS X. It propagates through iChat, an instant message client for Macintosh operating systems. When Leap first appeared, there was much debate between Mac users and malware experts as to whether or not it is a trojan, virus or worm.
Oompa arrives on a system as an iChat message attachment. The size of the file shown in the message may be larger than its actual size due to a bug in its code. When the user clicks "save", the file is saved as latestpics.tgz, a compressed archive. The archive contains two files, ._latestpics and latestpics. The latestpics file is the worm executable, while the ._latestpics file contains latestpics's resource fork (data about the file), in this case an icon. When the user opens the archive, the file latestpics is extracted. The file will have the same icon as an image file.
When the user executes this file, it opens a terminal and displays a message. The operating system may ask for root privileges if the user is not running as root already. The worm copies itself to the /tmp/ folder. It recreates its resource fork, including the custom icon, in that folder from an internally stored gzipped copy and sets the icon bit for the new copy of the file. It extracts the Input Manager apphook.bundle from itself and places it in the tmp folder. It then compresses itself in a gzipped tar archive and renames itself latestpics.tgz, which it saves for later use and deletes the uncompressed latestpics.
Oompa then deletes any apphook in the InputManagers folder. The worm moves apphook.bundle from the tmp folder to the InputManagers folder under the directory /apphook/apphook.bundle/Contents/MacOS folder so that it runs every time an application starts. If the worm is run by an unpriviledged user, the plugin will be installed under that particular user's InputManagers folder and will only propogate itself when that user starts an application. If the root user runs the worm, it will be installed under the main InputManagers folder and propogate whenever any user starts an application.
The worm uses the "Bonjour" or "Rendezvous" buddy list to find targets to send itself to. It spreads itself using IChat.
Oompa then uses Spotlight (a Macintosh search utility) to find the four most recently used programs that are not owned by the root user. When it finds the program's main executable, it looks for the extended attribute "oompa" and checks if that its value is greater than 0. If so, the worm will not overwrite this file. If not, the worm creates the extended attributes "oompa" and "loompa", which serves no other purpose than to mark the file. It moves the program executable to its resource fork and replaces it with a copy of the worm.
Trojan, Virus or Worm?
Whether Oompa is a worm has been contraversial. Some believe it is a trojan, as it requires the user to extract and run the file him/herself. It is sometimes considered viral, because it appears to overwrite files. In actuality, it simply moves them and replaces them with a copy of itself. Others believe it is a worm, regardless of how it is executed, as it does its spreading automatically.
Some sources speculate that the creator of the worm intended to give it the ability to spread over email, but never did.
Ambrosia Software, New MacOS X trojan/virus alert 2006.02.16
Costin Ionescu, Candid Wueest. Symantec.com, "OSX.Leap.A"
Sophos Antivirus, OSX/Leap-A
MacShadows, Leap-A Trojan
Michael St. Neitzel. ESET, "OSX/Leap.A - Under The Hood"
Kaspersky Labs. Viruslist.com, IM-Worm.Mac.Leap.a
Sophos News, "First ever virus for Mac OS X discovered". 2006.02.16
Peter Cohen. Macworld, "Reports emerge of Mac OS X Trojan horse or worm". 2006.02.16