Re: Oh the humanity!

"erm you have to type in your admin password for it to install"

Actually, you don't.

It's a bit of an odd duck, this one. It asks you for an administrator password, but you don't actually have to type it.

When the malicious Java applet runs, it attempts to download additional code. To do this, it prompts the user for an administrator password. If the user is gullible enough to type it, the downloader installs a payload in the Mac's Applications folder, and (I believe) sets it to run automatically at startup.

If the user *doesn't* type the administration password, the downloader installs a hostile payload in the user's home folder. This payload runs in userland, without administrator privileges, and I'm not certain but I don't believe it runs on restart (and it certainly doesn't if the user restarts and logs in to a different account). It's a lot more limited in what it can do, but it does still run, and (if the user doesn't have the firewall enabled) does seem to have the capability of making outside connections.

So the upshot is: No, you don't have to type an admin password. If you don't, the infection is somewhat mitigated, but it is still effective.