What malware does XProtect you against?

In previous articles, I have detailed the security-related and other files which are updated silently, and explained the XProtect protection system, which checks for known malware when you try to open a file which is quarantined. This article explores the list of malware which XProtect currently protects you against.

This information is based on the XProtect blacklist dated 8 July 2016. I will update it periodically and change that date when I do. Items are listed in roughly chronological order, with the most recent at the top (just as XProtect does).

Recent and current threats

OSX.Eleanor.A – installs backdoors, since March or April 2016, details here, here, and here.

OSX.Hmining.A and .A.2 – adware, recent and current.

OSX.Trovi.A – browser hijacker to trovi.com, current, removal details

OSX.Bundlore.A – bundles genuine apps with adware, since 2014 and current, details here.

OSX.Genieo.A to .E, and OSX.GenieoDropper.A – adware, since 2013 and current, details here.

OSX.InstallCore.A – bundles genuine apps with adware, since 2015 and current, details here.

OSX.InstallImitator.A to .D – adware, current.

OSX.Vindinstaller.A – Trojan, also known as FkCodec-B, active in 2015, details here.

OSX.KeRanger.A – ransomware, February/March 2016 and current, details here.

OSX.CrossRider.A – adware, from April 2015 and current, details here.

OSX.XcodeGhost.A – backdoor distributed through subverted apps from App Store in the summer of 2015, detailed here.

OSX.OpinionSpy and .B – spyware, originally 2010 but reappeared in 2015, details here.

OSX.VSearch.A – adware, from summer 2014 and current, details here.

OSX.Machook.A and .B – Trojan, also known as WireLurker, from November 2014 and current, details here.

OSX.iWorm.A to .C – backdoor, creates botnets, from 2014 and current, details here.

OSX.NetWeird.i and .ii – Trojan, opens backdoor, from early 2013 and current, details here.

Uncommon and historical threats

OSX.GetShell.A – Trojan, from 2012, now rare, details here.

OSX.LaoShu.A – Trojan, from early 2014 and current, details here.

OSX.Abk.A – keylogger, from about 2012.

OSX.CoinThief.A to .C – browser extension backdoor, from 2014, details here.

OSX.RSPlug.A – Trojan form of DNSChanger, old from 2007, details here.

OSX.Iservice.A and .B – Trojan, from 2009 and probably long since gone, details here.

OSX.DevilRobber.A and .B – installs a backdoor, old (2011), details here.

OSX.HellRTS – Trojan, from 2010, details here.

OSX.MacDefender.A and .B – fake antivirus, from 2011, details here.

OSX.QHost.WB.A – Trojan, fake Flash Player installer from 2011, details here.

OSX.Revir.A, .ii to .iv – Trojan backdoor, from 2011, details here.

OSX.FlashBack.A to .C – Trojan building botnets, from 2011, details here.

OSX.FileSteal.i and .ii – Trojan backdoor, from 2013, details here.

OSX.Mdropper.i – Trojan installer, old.

OSX.FkCodec.i – Trojan spyware, from 2012, details here.

OSX.MaControl.i – Trojan backdoor, from 2012, details here.

OSX.SMSSend.i and .ii – Trojan, from 2013, details here.

OSX.eicar.com.i – not malware at all, but a test detection file from EICAR.

OSX.AdPlugin.i and OSX.AdPlugin2.i – adware known as Yontoo from 2013.

OSX.Leverage.a – Trojan from 2013, details here.

OSX.Prxl.2 – Trojan Icefog, from 2011, details here.