0x00001c7f <main+49>: mov DWORD PTR [esp],0x1e08

0x00001c86 <main+56>: call 0x1f04 <dyld_stub_mkdir>





(gdb) x/s 0x1e08

0x1e08: "/Library/Application Support/google"





0x00001c93 <main+69>: mov DWORD PTR [esp],0x1e30

0x00001c9a <main+76>: call 0x1eec <dyld_stub_fopen$UNIX2003>





0x00001cba <main+108>: mov DWORD PTR [esp],eax

0x00001cbd <main+111>: call 0x1ef8 <dyld_stub_fwrite$UNIX2003>





0x00001db4 <main+358>: movl $0x1e30,(%esp)

0x00001dbb <main+365>: call 0x1eda <dyld_stub_execve>





(gdb) x/s 0x1e30

0x1e30: "/Library/Application Support/google/startp"





(gdb) x/s 0x1e80

0x1e80: "/Library/LaunchAgents/www.google.com.tstart.plist"





the plist file:

<string>/Library/Application Support/Google/startp</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>LaunchOnlyOnce</key>

The backdoor creates a folder to disguise itself as a google application.

Creates another executable named startp in the google folder.

Creates the plist file that will allow it to run each time a user restarts his computer.

Launches the new startp bin.

CEFAEDFE"(located at offset 1240).

int pthread_create(pthread_t *thread, const pthread_attr_t *attr, void *(*start_routine)(void*), void *arg);