On Dec 29 2008 I experienced an “attack” on my mac, the malware downloaded onto an installed USB stick (flash drive). The "attack" opened a Word document on the USB stick and downloaded a file directly onto the stick (somehow bypassing the default setting that all downloads go to downloads folder on HD). The downloaded file was named "_THELA~2 PDF". I found it on my USB stick. It had a last modified date of 20/10/2008. I viewed it from "Quick Look" option in Trash menu, then emptied Trash. Finder described it as a PDF but I am advised that hackers can make non-PDF files appear as PDFs. I had never seen the file before. The top page (which is all you get to view in Quick Look) was a picture of a child with a circular stamp (the instrument) super imposed to one side of the picture. The child appeared to be of South American or Northern European (indigenous) origin.
The "attack" came completely by surprise. The only installation downloads I have made are the upgrades for Microsoft Office 2008 and all the Apple software updates, which I access directly from Apple and Microsoft (not via third party links). I have never made a third party installation of anything. The only other installations on my machine were Adobe 9.0 (which wasn't used because I decided I preferred Preview; I have now uninstalled Adobe) and Firefox 3.0 (which I never ran because I couldn't easily decipher how to set it for equivalent or higher security than Safari; I permanently run Safari in Stealth mode). I have never encountered a third party request to update Adobe Flash or Firefox or anything else.
I don't have Microsoft Windows installed.
At the time of the "attack" these applications were open: Safari, and a Word document on another USB stick (in the other USB port) was open.
The "attacked" USB stick was just sitting in the port waiting to take a (backup) copy of the Word document when I finished my session.
Using Safari I arrived at a news item page from Australia's public broadcasting corporation (via a link from another very reputable Australian commercial site) but Safari's spinning ball kept going long after the page had loaded. While the ball was spinning the "attack" was happening.
I took both USB sticks to the local library and ran each twice through their avast! virus scan (on PC, no Mac available at library). Nothing was found on either stick. I emptied the PDF from Trash and replaced the Word document with the original copy (from the other USB stick) before the scan. When I next moved a new Word document onto the "attacked" USB stick (for backup) the name of the document was changed from "Angular Cheilitis" to ANGULA". I gather there was still some sort of malware on the stick that avast! scan at library did not find. For the sake of $12 for a new stick I physically trashed the stick. I didn't open any documents on the USB stick after the "attack" so I appear to have kept the malware isolated to the stick. My computer and the other stick are acting normally. I now have Little Snitch 2 installed and there does not appear to be any unwanted messages attempting to leave my computer. I find Little Snitch 2 reassuring and not intrusive.
I also downloaded avast! Mac Edition 2.74 from apple.com downloads. I did a full scan of the HD and remaining USB stick; no viruses were found. I made telephone contact with the Australian company associated with avast.com.au. The man I spoke with was very generous with his time but said they rely on this forum to get most of their info, especially about the Mac Edition. I downloaded avast! with some confidence in it because the local library use it, however, without better user information I am unsure whether I am getting decent virus protection. I have no idea what I should put in "Default scan locations"; I currently have Documents, Downloads, Desktop and Pictures in there. I have no idea whether Web Shield is a part of the Mac Edition and whether I am getting ongoing protection as I search with Google. Should I have some applications routinely scanned at launch? etc. etc.
After 60 days trial I need to pay. Without better user support that is unlikely to happen.
Cheers
vastus