I’m attempting to write a simple detector for the Flashback trojan, to give to members in another online forum. I’ve read that an infection would exist if either of the following terminal commands don’t report that the domain/default pair doesn’t exist, however, I’d rather not involve the terminal.
I don’t find the directory in the second statement and I’m not sure if it’s even supposed to exist or if I have the path correct. Anyone care to take a glance at this and see there are glaring errors I haven’t spotted? Thanks.
set checkOne to offset of "LSEnvironment" in (read file ((path to applications folder from system domain as string) & "Safari.app:Contents:Info.plist"))
try
set checkTwo to offset of "DYLD_INSERT_LIBRARIES" in read file ((path to home folder as string) & ".MacOSX/environment.plist")
on error
set checkTwo to 0
end try
if checkOne is 0 and checkTwo is 0 then
display dialog "No trojan detected."
else
display dialog "A likelihood of infection is present."
end if
try
do shell script "defaults read /Applications/Safari.app/Contents/Info LSEnvironment "
on error the_error
try
do shell script "defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES "
on error my_result
if my_result contains “The domain/default pair of” and my_result contains “MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist” then
display dialog “No trojan detected.”
else
display dialog “A likelihood of infection is present.”
end if
end try
end try
Thanks, I’m sure that works, but I intend a vanilla applescript solution, which means no shell scripting. I really just wanted to see if I’d interpreted the terminal commands properly and/or if anyone spotted an error, specifically in the MacOSX environment bit. I’m not sure if that directory is supposed to exist or not; I suspect that, in later versions of the OS, it might.