said by sporkme:

I have a neighbor with kids and while it was nice to setup individual accounts for each kid, it really sucked that they all had to be "power users" or whatever XP calls it just so they could run some stupid Lego games. That's just bad design.

said by jdb8167:

It doesn't take very much to educate users not to do things like this on a Mac because typing in a password to install software can be a big warning sign.

No user should be running their day-to-day account on OS X as even an administrator account. There is really no reason to do this unless you are a developer. Nearly every administrator action will pop up a password dialog and the only difference between a non-privileged account and an admin account is you need to type in both the account name and the password. But the difference is security is pretty large because many directories that are unwritable to non-privileged accounts are writable with an administrator account without a password.

When the virus is executed, it does the following:

1. Deletes some UNIX commands and modifies preferences for other additional commands.

2. Launches a keystroke-mapping application (if installed) called Krec, to record the keyboard entry of passwords.

3. Modifies the hostconfig file, allowing Write access to all users and SSH access from the intruder's computer.

4. Gathers hash files (mathematical strings used to represent passwords and other sensitive data) to scan for passwords for every user, compares these hash files to a dictionary file to try to generate the appropriate passwords.

5. Turns on file sharing and remote login, then puts passwords and other sensitive data into an invisible folder named .info on each user's Public folder.

6. When active, the Activity Monitor shows a process called "john" eating almost an entire processor.

7. Requires one or more of the following to install this script and to copy itself to the startup items folder:
* Admin or physical access (boot from a CD or firewire/usb, ignore permissions on the internal drive).
* Write access to either /Library/StartupItems /System/Library/StartupItems.
* Write access to any existing StartupItem (which is replaced with this script).
* Write access to the rc, crontab, or periodic files.

8. Creates the startup item /System/Library/StartupItems named "opener."

9. Runs "john" (we assume as in "the Ripper").

10. Turns on some services and turns off others (including firewall services).

11. Runs as root, as no "sudo" commands are needed.

12. Copies itself to any mounted startup volume, before it kills utmp. When the virus connects, it is invisible to the user.

Note: The utmp file allows one to discover information about who is currently using the system. There may be more users currently using the system, because not all programs use utmp logging.

13. After disabling the Macintosh OS firewall, it changes the File Server preferences to make sure the Mac File Server does not log any Mac File Sharing.

14. Prevents Software update from auto-updating.

15. Looks for LittleSnitch software (a shareware Firewall program with application control) and tries to terminate the process, when LittleSnitch attempts to perform network access.

16. Searches throughout the computer for the following:
* Serial numbers of installed applications.
* Various preference files of installed applications.
* Various user-specific preferences, including Classic files.

17. Modifies the LimeWire settings, deletes log files, and creates an admin level user named:

"LDAP-daemon"

so the machine can then be accessed in the future by a hacker who knows about this script. This user name will appear in the NetInfo Manager.

18. Installs a daily script to look for more passwords on the system that runs at 3 A.M.

19. Installs and runs two programs named:
* "John the Ripper"
* "dsniff"

which will gather data and attempt to isolate passwords contained within them, as well as any other 10.2 and 10.3 hashes.

20. Gathers data and attempts to isolate passwords contained within them, as well as any other 10.2 and 10.3 hashes.

21. Reviews the logs for any passwords found.

The Trojan horse’s code is encapsulated in the ID3 tag of an MP3 (digital music) file. This code is in reality a hidden application that can run on any Macintosh computer running Mac OS X.

Mac OS X displays the icon of the MP3 file, with an .mp3 extension, rather than showing the file as an application, leading users to believe that they can double-click the file to listen to it. But double clicking the file launches the hidden code, which can damage or delete files on computers running Mac OS X, then iTunes to play the music contained in the file, to make users think that it is really an MP3 file . While the first versions of this Trojan horse that Intego has isolated are benign, this technique opens the door to more serious risks.

This Trojan horse has the potential to do any of the following:

* Delete all of a user’s personal files
* Send an e-mail message containing a copy of itself to other users
* Infect other MP3, JPEG, GIF or QuickTime files

Due to the use of this technique, users can no longer safely double-click MP3 files in Mac OS X. This same technique could be used with JPEG and GIF files, though no such cases of infected graphic files have yet been seen.