PO Box 4206, Ainslie, ACT, 2602

iWorm Malware for Mac

Hey guys,

If you are a Mac user and for the moment, visit, you may be one of the 17,000+ users to be infected by “iWorm”.

It was entered into the virus database of Russian research firm Dr. Web as “Mac.BackDoor.iWorm,” the malware is described as a complex multi-purpose backdoor capable of issuing a variety of commands to be carried out by an affected host Mac. Among the operations available to the malware are data gathering and limited system remote control.

After iWorm installs, it creates an operating file, opens a port to request a list of control servers and connects, awaiting further instructions. Unique to this particular piece of malware is its use of’s search service to retrieve the botnet server list, which recently was disguised in a comment to the post “minecraftserverlists.”

The Reddit string has been shut down, but the creators of this annoying situation will likely set up another server list through an alternate search service that has yet to be discovered.

Once iWorm connects with a command and control server, the backdoor pulls in instructions via binary data or the Lua programming language. Alternatively, connected servers can send over another bit of malware to further compromise the affected machine.

iWorm itself can gather and send off sensitive user information, set parameters in configuration files, put a Mac to sleep, ban nodes and perform nested Lua scripts, among other backdoor operations.

iWorm extracts into a folder on OS X, so users can check if their Mac is infected by navigating to “Go > Go to Folder” from the OS X Finder menu and typing in /Library/Application Support/JavaW. If OS X cannot find the folder, the computer is clear. If the folder is found, however, users are urged to employ an anti-virus program to wipe iWorm from their hard drive. If you are unsure, please get a technician to look at it.

According to Dr. Web’s statistical analysis of iWorm, the malware as infected some 17,658 Macs worldwide as of Sept. 26, though its unclear if anymore have been.

Canberra users can call us to get help if you are not comfortable getting rid of it.