Security – How to Detect and Remove Flashback Trojan on Mac

You can follow these instructions from F-Secure to uninstall/remove the malware:

1. Run the following command in Terminal:

   defaults read /Applications/Safari.app/Contents/Info LSEnvironment
   

2. Take note of the value, DYLD_INSERT_LIBRARIES

3. Proceed to step 8 if you got the following error message:

   "The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"
   

4. Otherwise, run the following command in Terminal:

   grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2%
   

5. Take note of the value after "__ldpath__"

6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):

   sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment`
   
   sudo chmod 644 /Applications/Safari.app/Contents/Info.plist`
   

7. Delete the files obtained in steps 2 and 5

8. Run the following command in Terminal:

   defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
   

9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:

   "The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"
   

10. Otherwise, run the following command in Terminal:

    grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%
    

11. Take note of the value after "__ldpath__"

12. Run the following commands in Terminal:

    defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
    
    launchctl unsetenv DYLD_INSERT_LIBRARIES
    

13. Finally, delete the files obtained in steps 9 and 11.

Update:

Apple has released an official tool for uninstalling the malware. Read about it and download it on this Apple KB page.

F-Secure has also released a removal tool, which you can download here.