[toyg]

But the post says that the malware checks if any of those folders exists, only then writing the necessary plist. By your reasoning, one of these folders should have been created in advance by another process. So this "backdoor" is even incomplete...

[sordidfellow]

It says it checks if those folders are available - which could mean checking if the name is not already taken, and then creating the path for itself to use.

[djrogers]

> But the post says that the malware checks if any of those folders exists

Presumably so it doesn't re-infect an already compromised host