iWork '09 Torrent Carrying OS X Trojan [Updated]

by

A security alert posted this morning by antivirus vendor Intego reveals that the company has discovered a new Trojan horse that is being carried by pirated copies of iWork '09 circulating on a number of torrent sites.

The Trojan, which Intego has classified as a "serious" risk and named OSX.Trojan.iServices.A, allows a malicious user to connect to an infected machine and perform various functions, as well as download additional software to the machine.

This software is installed as a startup item (in /System/Library/StartupItems/iWorkServices, a location reserved normally for Apple startup items), where it has read-write-execute permissions for root. The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac.

Intego reports that over 20,000 users had downloaded the package as of 6:00 AM Eastern time this morning, and an update to an entry posted on Intego's Mac Security Blog notes that the Trojan now appears to be actively downloading new code to infected machines and using them to carry out denial-of-service attacks on certain websites.

Update: Despite significant publicity surrounding this incident today, the infected iWork package remains active in the torrent community. In light of this continued activity, we have moved this report from Page 2 to our front page and are providing instructions for deactivating and removing the Trojan from infected systems.

1) (open Terminal.app)
2) sudo su (enter password)
3) rm -r /System/Library/StartupItems/iWorkServices
4) rm /private/tmp/.iWorkServices
5) rm /usr/bin/iWorkServices
6) rm -r /Library/Receipts/iWorkServices.pkg
7) killall -9 iWorkServices

OSX.Trojan.iServices.A appears to be the first significant OS X Trojan to advance beyond the proof-of-concept or pranking stage to engage in truly malicious behavior.

Update 2: MacScan has released a free utility to remove the Trojan from infected systems.

Popular Stories

apple store down feature

Here's Why the Apple Store is Going Down

Thursday November 27, 2025 1:01 pm PST by
Apple's online store is going down for a few hours on a rolling country-by-country basis right now, but do not get your hopes up for new products. Apple takes its online store down for a few hours ahead of Black Friday every year to tease/prepare for its annual gift card offer with the purchase of select products. The store already went down and came back online in Australia and New Zealand, ...
Read Full Article18 comments
iPhone Pocket Short

iPhone Pocket is Now Completely Sold Out Worldwide

Tuesday November 25, 2025 7:16 am PST by
Apple recently teamed up with Japanese fashion brand ISSEY MIYAKE to create the iPhone Pocket, a limited-edition knitted accessory designed to carry an iPhone. However, it is now completely sold out in all countries where it was released. iPhone Pocket became available to order on Apple's online store starting Friday, November 14, in the United States, France, China, Italy, Japan, Singapore, ...
Read Full Article138 comments
New Intel Logo

Apple and Intel Rumored to Partner on Mac Chips Again in a New Way

Friday November 28, 2025 7:33 am PST by
While all Macs are now powered by Apple's custom-designed chips, a new rumor claims that Apple may rekindle its partnership with Intel, albeit in a new and limited way. Apple supply chain analyst Ming-Chi Kuo today said Intel is expected to begin shipping Apple's lowest-end M-series chip as early as mid-2027. Kuo said Apple plans to utilize Intel's 18A process, which is the "earliest...
Read Full Article102 comments
streaming black friday 2025

Best Black Friday Streaming Deals - Save Big on Apple TV, Disney+, Hulu, and More

Thursday November 27, 2025 1:14 pm PST by
We've been focusing on deals on physical products over the past few weeks, but Black Friday is also a great time of year to purchase a streaming membership. Some of the biggest services have great discounts for new and select returning members this week, including Apple TV, Disney+, Hulu, Paramount+, Peacock, and more. Note: MacRumors is an affiliate partner with some of these vendors. When...
Read Full Article22 comments
iphone air camera

iPhone Air Flop Sparks Industry Retreat From Ultra-Thin Phones

Thursday November 27, 2025 3:14 am PST by
Apple's disappointing iPhone Air sales are causing major Chinese mobile vendors to scrap or freeze their own ultra-thin phone projects, according to reports coming out of Asia. Since the ‌iPhone Air‌ launched in September, there have been reports of poor sales and manufacturing cuts, while Apple's supply chain has scaled back shipments and production. Apple supplier Foxconn has...
Read Full Article240 comments
iphone black friday gold

The Best Black Friday iPhone Deals Still Available

Friday November 28, 2025 6:24 am PST by
Cellular carriers have always offered big savings on the newest iPhone models during the holidays, and Black Friday 2025 sales have kicked off at AT&T, Verizon, T-Mobile, and more. Right now we're tracking notable offers on the iPhone 17, iPhone 17 Pro, iPhone 17 Pro Max, and iPhone Air. For even more savings, keep an eye on older models during the holiday shopping season. Note: MacRumors is...
Read Full Article3 comments
Apple Foldable Thumb

Foldable iPhone to Debut These Three Breakthrough Features

Tuesday November 25, 2025 7:09 am PST by
Apple's first foldable iPhone is expected to launch alongside the iPhone 18 Pro models in fall 2026, and it's shaping up to include three standout features that could set it apart from the competition. The book-style foldable will reportedly feature an industry-first 24-megapixel under-display camera built into the inner display, according to a recent JP Morgan equity research report. That...
Read Full Article130 comments

Top Rated Comments

ksgant Avatar
ksgant
220 months ago
As I'm sure others have said, let me echo it here:

A virus exploits the weaknesses of an OS
A trojan exploits the weaknesses of the user of the OS
Score: 1 Votes (Like | Disagree)
megas88 Avatar
megas88
220 months ago
What virus?
I think he meant trojin. It seems easy to detect without a anti virus program. I just came back from tauw with the easy detection. Just follow this to see if ya got it or not. It's the same thing as I think was posted here. But just in case someones panicking here it is again.:

Look for /System/Library/StartupItems/iWorkServices

To remove it.
1) (open Terminal.app)
2) sudo su (enter password)
3) rm -r /System/Library/StartupItems/iWorkServices
4) rm /private/tmp/.iWorkServices
5) rm /usr/bin/iWorkServices
6) rm -r /Library/Receipts/iWorkServices.pkg
7) killall -9 iWorkServices
Score: 1 Votes (Like | Disagree)
dejo Avatar
dejo
220 months ago
Wasn't going to, but the announcement of a real virus ...
What virus?
Score: 1 Votes (Like | Disagree)
Read All Comments