[toyg]

That list of directories is really weird. On my machine, none of them exists, neither in ~/Library nor /Library. And I do run most of that software (Dropbox, Skype, Firefox, Chrome in the past...).

Either the malware targeted very old versions of such software and/or OSX, or somebody between the malware author and the blog writer f###ed up.

[richardwhiuk]

The aim is to look legitimate, but not clobber applications - merely to look like something the user shouldn't delete.

[toyg]

But the post says that the malware checks if any of those folders exists, only then writing the necessary plist. By your reasoning, one of these folders should have been created in advance by another process. So this "backdoor" is even incomplete...

[sordidfellow]

It says it checks if those folders are available - which could mean checking if the name is not already taken, and then creating the path for itself to use.

[djrogers]

> But the post says that the malware checks if any of those folders exists

Presumably so it doesn't re-infect an already compromised host