XProtect and Gatekeeper found not to detect virus if downloaded via torrent.
Mac OS X may still be vulnerable to the iWorm backdoor despite patching from Apple, according to a security researcher.
Updates to the XProtect and Gatekeeper antivirus systems mean they can detect the virus, but they are said to work only if the correct "quarantine attribute" is applied to files by the software used to facilitate a download.
Patrick Wardle, director of research with security firm Synack, said: "Contrary to popular belief, Gatekeeper (like XProtect) is fairly limited in the attacks it can prevent. This is due to the fact that Gatekeeper will only examine binaries that contain a quarantine attribute named ‘com.apple.quarantine’.
"Interestingly, it is the responsibility of the downloading application (eg Safari, the torrent client) to set this quarantine attribute. Unfortunately, many of the torrent clients that are likely to be used to download the infected applications may not set this attribute."
The Safe Mac reported that pirated versions of the image editor Adobe Photoshop and productivity suite Microsoft Office were being used to hide the iWorm infection, discovered at the end of September by the antivirus company Dr Web.
To combat the virus Wardle has developed KnockKnock and released it as an open source tool on the code repository Github, allowing users to check which executables run when they boot Mac OS X, filtering out safe files signed by Apple.
"Although users cannot rely on Apple’s anti-malware mechanisms for protection from iWorm, refraining from using pirated applications should keep them safe in this case," he added.
"More generically, armed with a tool such as KnockKnock, users can detect both current and future persistent OS X threats."
Victims infected with the virus can have their machines completely hijacked, although Wardle said that detecting and removing iWorm was "fairly trivial" as it does not include measures to defend itself.
The virus hit the headlines after it was found exploiting the content aggregator Reddit to connect to a command and control (C&C) server used to send instructions to infected computers, in what is known as a botnet.