iWork '09 Torrent Carrying OS X Trojan [Updated]

by

A security alert posted this morning by antivirus vendor Intego reveals that the company has discovered a new Trojan horse that is being carried by pirated copies of iWork '09 circulating on a number of torrent sites.

The Trojan, which Intego has classified as a "serious" risk and named OSX.Trojan.iServices.A, allows a malicious user to connect to an infected machine and perform various functions, as well as download additional software to the machine.

This software is installed as a startup item (in /System/Library/StartupItems/iWorkServices, a location reserved normally for Apple startup items), where it has read-write-execute permissions for root. The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac.

Intego reports that over 20,000 users had downloaded the package as of 6:00 AM Eastern time this morning, and an update to an entry posted on Intego's Mac Security Blog notes that the Trojan now appears to be actively downloading new code to infected machines and using them to carry out denial-of-service attacks on certain websites.

Update: Despite significant publicity surrounding this incident today, the infected iWork package remains active in the torrent community. In light of this continued activity, we have moved this report from Page 2 to our front page and are providing instructions for deactivating and removing the Trojan from infected systems.

1) (open Terminal.app)
2) sudo su (enter password)
3) rm -r /System/Library/StartupItems/iWorkServices
4) rm /private/tmp/.iWorkServices
5) rm /usr/bin/iWorkServices
6) rm -r /Library/Receipts/iWorkServices.pkg
7) killall -9 iWorkServices

OSX.Trojan.iServices.A appears to be the first significant OS X Trojan to advance beyond the proof-of-concept or pranking stage to engage in truly malicious behavior.

Update 2: MacScan has released a free utility to remove the Trojan from infected systems.

Popular Stories

iphone 17 models

No iPhone 18 Launch This Year, Reports Suggest

Thursday January 1, 2026 8:43 am PST by
Apple is not expected to release a standard iPhone 18 model this year, according to a growing number of reports that suggest the company is planning a significant change to its long-standing annual iPhone launch cycle. Despite the immense success of the iPhone 17 in 2025, the iPhone 18 is not expected to arrive until the spring of 2027, leaving the iPhone 17 in the lineup as the latest...
Read Full Article116 comments
duolingo ad live activity

Duolingo Used iPhone's Dynamic Island to Display Ads, Violating Apple Design Guidelines

Friday January 2, 2026 1:36 pm PST by
Language learning app Duolingo has apparently been using the iPhone's Live Activity feature to display ads on the Lock Screen and the Dynamic Island, which violates Apple's design guidelines. According to multiple reports on Reddit, the Duolingo app has been displaying an ad for a "Super offer," which is Duolingo's paid subscription option. Apple's guidelines for Live Activity state that...
Read Full Article106 comments
Low Cost A18 Pro MacBook Feature Pink

Apple's 2026 Low-Cost A18 Pro MacBook: What We Know So Far

Friday January 2, 2026 4:33 pm PST by
Apple is planning to release a low-cost MacBook in 2026, which will apparently compete with more affordable Chromebooks and Windows PCs. Apple's most affordable Mac right now is the $999 MacBook Air, and the upcoming low-cost MacBook is expected to be cheaper. Here's what we know about the low-cost MacBook so far. Size Rumors suggest the low-cost MacBook will have a display that's around 13 ...
Read Full Article154 comments
govee floor lamp

CES 2026: Govee Announces New Matter-Connected Ceiling and Floor Lights

Sunday January 4, 2026 5:00 am PST by
Govee today introduced three new HomeKit-compatible lighting products, including the Govee Floor Lamp 3, the Govee Ceiling Light Ultra, and the Govee Sky Ceiling Light. The Govee Floor Lamp 3 is the successor to the Floor Lamp 2, and it offers Matter integration with the option to connect to HomeKit. The Floor Lamp 3 offers an upgraded LuminBlend+ lighting system that can reproduce 281...
Read Full Article53 comments
airpods pro 3 glitter

AirPods New Year's Deals Include Up to $99 Off AirPods Max, AirPods Pro 3, and AirPods 4

Sunday January 4, 2026 8:04 am PST by
Now that the calendar has flipped over into January, steep discounts on popular Apple products have become more rare after the holidays. However, if you didn't get a new pair of AirPods recently and are looking for a model on sale, Amazon does have a few solid second-best prices this week. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a...
Read Full Article17 comments
samsung crease less foldable display ces 2026%402x

Foldable iPhone's Crease-Free Display Tech Spotted at CES 2026

Tuesday January 6, 2026 3:04 am PST by
CES 2026 has just provided a first glimpse of the folding display technology that Apple is expected to use in its upcoming foldable iPhone. At the event, Samsung Display briefly showcased its new crease-less foldable OLED panel beside a Galaxy Z Fold 7, and according to SamMobile, which saw the test booth before it was abruptly removed, the new panel "has no crease at all" in comparison. The ...
Read Full Article116 comments
Belkin 25W Battery magnetic

CES 2026: Belkin Announces Magnetic Ring Power Bank, Modular Dock, and More

Sunday January 4, 2026 3:02 pm PST by
Belkin today announced a range of new charging and connectivity accessories at CES 2026, expanding its portfolio of products aimed at Apple device users. UltraCharge Pro Power Bank 10K with Magnetic Ring The lineup includes new Qi2 and Qi2.2 wireless chargers, magnetic power banks, a high-capacity laptop battery, and USB-C productivity accessories, with an emphasis on higher charging...
Read Full Article17 comments
AirPods Pro 3 Year of the Horse Feature

Apple Launches Year of the Horse AirPods Pro 3 for Lunar New Year

Monday January 5, 2026 11:28 am PST by
Apple has designed a limited edition version of the AirPods Pro 3 to celebrate Lunar New Year, and customers in select countries can purchase them starting today. The Year of the Horse Special Edition AirPods Pro 3 feature a unique horse emoji character that's otherwise unavailable. Customers in China, Hong Kong, Taiwan, Malaysia, and Singapore are able to buy the AirPods, and they'll be...
Read Full Article13 comments

Top Rated Comments

ksgant Avatar
ksgant
221 months ago
As I'm sure others have said, let me echo it here:

A virus exploits the weaknesses of an OS
A trojan exploits the weaknesses of the user of the OS
Score: 1 Votes (Like | Disagree)
megas88 Avatar
megas88
221 months ago
What virus?
I think he meant trojin. It seems easy to detect without a anti virus program. I just came back from tauw with the easy detection. Just follow this to see if ya got it or not. It's the same thing as I think was posted here. But just in case someones panicking here it is again.:

Look for /System/Library/StartupItems/iWorkServices

To remove it.
1) (open Terminal.app)
2) sudo su (enter password)
3) rm -r /System/Library/StartupItems/iWorkServices
4) rm /private/tmp/.iWorkServices
5) rm /usr/bin/iWorkServices
6) rm -r /Library/Receipts/iWorkServices.pkg
7) killall -9 iWorkServices
Score: 1 Votes (Like | Disagree)
dejo Avatar
dejo
221 months ago
Wasn't going to, but the announcement of a real virus ...
What virus?
Score: 1 Votes (Like | Disagree)
Read All Comments