First real virus for the Mac OS X discovered

Sophos announced it has discovered the very first virus that targets the Apple Mac OS X platform. The virus is codenamed OSX/Leap-A and spreads via Chat instant messaging system clients.

The worm attempts to spread via the iChat instant messaging system, sending itself to available contacts on the infected users' buddy list in a file called latestpics.tgz. This file is an archive consisting of:

latestpics: the worm executable
._latestpics: a hidden resource file designed to disguise the executable as a JPEG image

OSX/Leap-A installs itself as an application hook by deleting the "apphook" subdirectory of either the /Library/InputManagers/ directory (if run with root permissions) or the ~/Library/InputManagers/ directory (if run as a non-root user) and replacing it with the following three files:

apphook/Info
apphook/apphook.bundle/Contents/Info.plist
apphook/apphook.bundle/Contents/MacOS/apphook

OSX/Leap-A attempts to infect recently used applications by overwriting the original application with a copy of the worm, storing the original application in the file's resource fork. Infected application files have the following extended attribute:

name: oompa
value: loompa

OSX/Leap-A also creates the following temporary files:
/tmp/pic.gz
/tmp/pic
/tmp/latestpics
/tmp/lastespics.tar
/tmp/lastespics.tar.gz
/tmp/lastespics.tgz

and several files under
/tmp/apphook

Source: Sophos