How to remove Crisis malware

Back when cyber security experts first became aware of OS X Crisis - also known as Davinci and Morcut - this was a sophisticated trojan virus. Unlike other trojan malware infections, Crisis was capable of running anti-analysis scripts, which was unusual for a Mac OS X virus.

The Crisis malware sends a pingback to the command-and-control server every five minutes, awaiting instructions. Once instructed, OS X Crisis can take over a Mac, record data, and send that back to the server, with the information being sold to cybercriminals and those who can commit identity theft.

It is definitely one to watch out for and avoid. If you are infected, then this article will tell you how to remove OS X Crisis and restore your Mac to working order.

What is OS X Crisis?

A trojan - also known as a trojan horse, or trojan malware - is a type of malicious software that can take over a computer. They are designed to take over Mac, PC, and Linux devices, and some newer versions are even capable of overriding the operating systems on Android and iOS devices.

When it was discovered, it was noted that OS X Crisis was only capable of running on OSX versions 10.6 and 10.7 – Snow Leopard and Lion. It is unknown if newer versions of this trojan are capable of running on more modern Mac operating systems.

Analysis of this virus has found that once it is downloaded, it deploys 14 files if a Mac user doesn't give it Admin permissions. It will deploy 17 files if someone is tricked - using social engineering and other manipulative techniques - into giving the trojan admin permissions.

Further analysis of the Crisis virus shows that it creates the following directories and files throughout your Mac:

  • /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/MacOS/com.apple.mdworker_server
  • /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/Resources/
  • $HOME/Library/LaunchAgents/com.apple.mdworker.plist
  • $HOME/Library/Preferences/jl3V7we.app
  • $HOME/Library/ScriptingAdditions/appleHID/Contents/Info.plist
  • $HOME/Library/ScriptingAdditions/appleHID/Contents/MacOS/lUnsA3Ci.Bz7
  • $HOME/Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r

Once deployed, it starts to monitor user activity after modifying the settings within:

  • Firefox
  • Skype
  • Microsoft Messenger
  • Adium

It can monitor and record voice and video conversations, copy any messages sent using those platforms, and record every website visited. Crisis will also capture screenshots. Nothing is safe with this trojan on your Mac. Your user data and activity is compromised. And here is how you can remove this nasty problem.

How to remove OS X Crisis from Mac

Removing Crisis manually is possible, although security experts have noted that it is immune to the reboot sequence. Therefore, you need to search for the 14 or 17 files and directories that it has deployed on your Mac. Start with the list above.

Some of the files it downloads to Macs are named sequentially, making them easier to identify. Others aren't as easy to spot, with names that don't match any of the others that are included in the Crisis payload. When you notice a file that clearly doesn't belong, drag this and others like it into the trash. Once you are confident you’ve got them all, empty the trash then reboot your Mac.

Always be careful when removing anything you aren't sure about. Unless you know what something is, you could risk deleting an application your Mac needs to operate. Only do this if you are a confident Mac power user. If necessary, take it to an authorized Mac dealer and repair shop, or an Apple shop.

Another way to remove Crisis on a Mac is to download CleanMyMac X.


How you can remove Crisis quickly with CleanMyMac X

CleanMyMac X is a powerful Mac cleaning, speedup, and protection utility. It successfully scans and removes all known types of malware. We update our security database constantly, making sure that your Mac gets back to how it ran when you got it. CleanMyMac X clears out gigabytes of junk and cyber threats you didn’t even know had infected your Mac.

  1. Download CleanMyMac X and launch the app.
  2. Choose the Malware Removal tool.
  3. Click Scan so that it scans for every known virus, including Crisis.
  4. Click Remove.

Crisis was designed to spy on and record Mac user activities. Although only known to work on older operating systems, it is an intrusion and invasion of privacy most people would prefer not to deal with. Thankfully, there are ways of dealing with this problem and we hope this article helps you do that.

Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.