Look Out, Licat!

Researchers at TrendLabs have blogged this morning about a new file infector virus known as Licat.a which appears to be be geographically and numerically widespread. Research into the malicious code is ongoing.

A file infector is malware which could be considered the most “classic” form of virus, one that seeks out other file types and injects its own code into these victim files. Whenever one of the infected files is opened this causes the malicious code to execute.

Licat seeks out .EXE, .DLL and .HTML files on infected system and modifies those files, adding its malicious routines.

When an infected file is opened, Licat will generate a series of 800 internet addresses in the format below. The pseudorandom alpha characters are generated using a randomizing function, which is computed from the current UTC system date and time.

http://{pseudorandom alpha characters}.biz/forum/
http://{pseudorandom alpha characters}.org/forum/
http://{pseudorandom alpha characters}.info/forum/
http://{pseudorandom alpha characters}.net/forum/
http://{pseudorandom alpha characters}.com/forum/.

It will then attempt to connect to each of these destinations to download and execute further components or other payloads. The last time similar behaviour to this was seen was in the infamous Conficker botnet.

As Solutions Architect for Trend Micro, Rik Ferguson interacts with CIOs from a wide variety of blue chip enterprises, government institutions, law enforcement organisations. Recognised as an industry thought leader and analyst, Rik is regularly quoted by the press on issues surrounding Information Security, Cybercrime and technology futures. With over 15 years experience in the IT Industry with companies such as EDS, McAfee and Xerox Rik’s broad experience enables him to have a clear insight into the challenges and issues facings businesses today.