In previous articles, I have detailed the security-related and other files which are updated silently, and explained the XProtect protection system, which checks for known malware when you try to open a file which is quarantined. This article explores the list of malware which XProtect currently protects you against.
This information is based on the XProtect blacklist dated 8 July 2016. I will update it periodically and change that date when I do. Items are listed in roughly chronological order, with the most recent at the top (just as XProtect does).
Recent and current threats
OSX.Eleanor.A – installs backdoors, since March or April 2016, details here, here, and here.
OSX.Hmining.A and .A.2 – adware, recent and current.
OSX.Trovi.A – browser hijacker to trovi.com, current, removal details
OSX.Bundlore.A – bundles genuine apps with adware, since 2014 and current, details here.
OSX.Genieo.A to .E, and OSX.GenieoDropper.A – adware, since 2013 and current, details here.
OSX.InstallCore.A – bundles genuine apps with adware, since 2015 and current, details here.
OSX.InstallImitator.A to .D – adware, current.
OSX.Vindinstaller.A – Trojan, also known as FkCodec-B, active in 2015, details here.
OSX.KeRanger.A – ransomware, February/March 2016 and current, details here.
OSX.CrossRider.A – adware, from April 2015 and current, details here.
OSX.XcodeGhost.A – backdoor distributed through subverted apps from App Store in the summer of 2015, detailed here.
OSX.OpinionSpy and .B – spyware, originally 2010 but reappeared in 2015, details here.
OSX.VSearch.A – adware, from summer 2014 and current, details here.
OSX.Machook.A and .B – Trojan, also known as WireLurker, from November 2014 and current, details here.
OSX.iWorm.A to .C – backdoor, creates botnets, from 2014 and current, details here.
OSX.NetWeird.i and .ii – Trojan, opens backdoor, from early 2013 and current, details here.
Uncommon and historical threats
OSX.GetShell.A – Trojan, from 2012, now rare, details here.
OSX.LaoShu.A – Trojan, from early 2014 and current, details here.
OSX.Abk.A – keylogger, from about 2012.
OSX.CoinThief.A to .C – browser extension backdoor, from 2014, details here.
OSX.RSPlug.A – Trojan form of DNSChanger, old from 2007, details here.
OSX.Iservice.A and .B – Trojan, from 2009 and probably long since gone, details here.
OSX.DevilRobber.A and .B – installs a backdoor, old (2011), details here.
OSX.HellRTS – Trojan, from 2010, details here.
OSX.MacDefender.A and .B – fake antivirus, from 2011, details here.
OSX.QHost.WB.A – Trojan, fake Flash Player installer from 2011, details here.
OSX.Revir.A, .ii to .iv – Trojan backdoor, from 2011, details here.
OSX.FlashBack.A to .C – Trojan building botnets, from 2011, details here.
OSX.FileSteal.i and .ii – Trojan backdoor, from 2013, details here.
OSX.Mdropper.i – Trojan installer, old.
OSX.FkCodec.i – Trojan spyware, from 2012, details here.
OSX.MaControl.i – Trojan backdoor, from 2012, details here.
OSX.SMSSend.i and .ii – Trojan, from 2013, details here.
OSX.eicar.com.i – not malware at all, but a test detection file from EICAR.
OSX.AdPlugin.i and OSX.AdPlugin2.i – adware known as Yontoo from 2013.
OSX.Leverage.a – Trojan from 2013, details here.
OSX.Prxl.2 – Trojan Icefog, from 2011, details here.