It began on MacRumors, with someone posting a link to a file that supposedly contained pictures of OSX Leopard (a.k.a 10.5). Some excited Apple fanatics eagerly downloaded the file to their computers and promptly went clicking away. “The Sky is falling!”

Well, the linked file was in fact an archive (latestpic.tgz). So, after downloading the file the user had to explicitly choose to expand the archive. Bonk on the head with cluestick #1.

No worries mate, you surely wouldn’t click on any files in the archive that weren’t just an image file, would you? Oh no, you would. Apparently, the files in the archive were, in fact, an executable that had a custom icon that mimicked a JPEG icon. It did not, however, have the .JPG extension. Bonk on the head with cluestick #2. In addition, there was a hidden file which the malicious program used a resource while doing its nastiness.

Oops. I ran the %#^&*@ program. Again, not a problem. I mean, you wouldn’t actually be logged in to your computer as an Admin, would you? I mean, if you aren’t logged in to your computer as an Admin you will be prompted to enter your password. Bonk on the head with cluestick #3. JPEGs do not require passwords, but a malicious executable masquerading as one would.

Admin account? Crap, so you are logged in as an admin, and now a terminal window has popped up and the scipt is now running. This will infect several apps and now attempt to send itself to other computers over IM/Bonjour. Luckily, at this time, this is all it appears to do. You can easily back up your data (not applications) and restore your system. As more information is revealed about this, cleaning instructions might surface. I would imagine that removing and reinstalling the infected applications will prove rather easy.
What have we learned? Two things:

1. OSX is not bulletproof. If you hear anyone say so, punch them in the nose.
2. OSX is still secure. The sky is NOT falling. This is NOT a big deal.

So, how do you prevent this type of thing in the future? Well, here is how I approach it. First of all, tell Finder to “Show All File Extensions.” This can be done in Finder>Preferences>Advanced.  This doesn’t solve all masquerading problems, but is just a good idea, in my opinion. Next, do not log into your computer in an Admin account. A standard user account is fine for performing 99.9% of tasks on your computer. If you are currently logged in as an Admin and want to keep your same login, do the following:

1. Create a new user account and make sure to check the box for “Allow user to administer this computer.”
2. Next, choose your current account and uncheck the box for “Allow user to administer this computer.”
3. Finally, log out of your account and re-login.

Now, anytime you need to perform a function that requires admin priveleges, you will have to enter the username and password of the account you just created.

For more information:
Alleged screenshots of OS 10.5 Leopard (linked file removed)
Original discussion thread
New Mac OS X virus/trojan alert, developing
Sophos Summary (OSX/Leap-A)