Ok I was control clicking on the fake finder and not the actual app.
Whew…
I tried running “strings -a” on a simple R/O Applescript…
tell application "Finder"
end tell
It returns…
HD_Name:System:Library:CoreServices:Finder.app
&System/Library/CoreServices/Finder.app
But it does not return the line…
So that along with the line that read “mylisttrojan.0” is enough to raise suspicion.
With that said, it’s still a good idea not to run a R/O Applescript unless you know the person who wrote it, or have received the script from a known good source. Especially If there is no ReadMe file or any way of contacting the author.
You can also use the “hexdump -C” command on a file. It will return info kinda like what 'ResEdit" used to return in OS 9 and earlier.
You’re absolutely right. I was never going to run the script anyway, but I really wanted to know what it would have screwed up if I had.
I tried Resedit on it, but I don’t know a thing about hex
You guys have been invaluable.
Thanks
Thanks Twitch, and to everyone who pitched in on this thread. We were glad to help.
I know it’s a bit late, but here is my debug/opinion anyway…
This is most probably related to a multisegment .sit file, but these lines are a lonely island in the script. I’d say they are not part of the scpt executable code, since they are outside of its headers, but a chunk of a different resource in the same file.
I don’t know if this is a trojan, but I can’t see nothing dangerous in the rest of the code. There are not common read/write commands nor shell scripts. This is a pre-X applet thought to examine a Hotline Server’s hierarchy. Look to those “:Files” and “:Users:guest:files” which are built after getting the path of the “Hotline Server” through the Finder. It will create a folder called “comments” if it doesn’t exist and will do anything with “path to me”.
Unless I’m missing something of the code, I’d say this is not dangerous