Hello

Our Mac server (10.6.8) has been infected by a virus that writes two .bin files to the root and a file named F**k (without the stars!). If you remove the files they return within 24 hours

Avast Webshield is reporting that it has blocked a threat

Infection:ELF:Xorddos-E
URL: http://149.xx.xx.xx//6000.bin (x’s change with threat reports)
Process/usr/bin/curl

Can this virus be removed?

Google only turns up results for Linux and and a search for Xorddos here brings back no results. Thanks in advance for any help.

It is not a virus but a trojan with rootkit technology.

ELF = Executable and Linkable Format

http://bartblaze.blogspot.nl/2015/09/notes-on-linuxxorddos.html

Thanks Eddy

I saw that page and to be honest It’s a bit beyond my technical expertise but I will review it. However you’ve sort of confirmed my fears that there is not automatic virus removal tool that could do the job.

Paul

I’m not a MAC tech.
It can be there is a tool for it, but I don’t know one for MAC

Run all or most of these programs and they may let you track down the file infection. Please come back and tell us is you cleaned it by using these programs. Most of these programs get updated so you need to check for the latest if you use them later.

https://objective-see.com/products.html

.

ELF:Xorddos-E [trj] Alias > Linux.Xorddos (symantec)

Info here >> https://www.symantec.com/security_response/writeup.jsp?docid=2015-010823-3741-99&tabid=2

The Trojan may perform the following actions: Execute files Download files Remove services Install modules Update itself [b]Launch distributed denial of service (DDoS) attacks[/b]

Some vendors use the name DDoS flood, so should indicate what it may do