Look Out, Licat!

UPDATE: Further research has confirmed that LICAT appears to be very strongly linked to ZeuS possibly in an effort to rebuild or strengthen botnets after recent law enforcement activities

Researchers at TrendLabs have blogged this morning about a new file infector virus known as Licat.a which appears to be be geographically and numerically widespread. Research into the malicious code is ongoing.

Licat Distribution

A file infector is malware which could be considered the most “classic” form of virus, one that seeks out other file types and injects its own code into these victim files. Whenever one of the infected files is opened this causes the malicious code to execute.
Licat seeks out .EXE files on infected system and modifies those files, adding its malicious routines.
When an infected file is opened, Licat will generate a series of 800 internet addresses in the format below. The pseudorandom alpha characters are generated using a randomizing function, which is computed from the current UTC system date and time.
http://{pseudorandom alpha characters}.biz/forum/

http://{pseudorandom alpha characters}.org/forum/

http://{pseudorandom alpha characters}.info/forum/

http://{pseudorandom alpha characters}.net/forum/

http://{pseudorandom alpha characters}.com/forum/.
It will then attempt to connect to each of these destinations to download and execute further components or other payloads. The last time similar behaviour to this was seen was in the infamous Conficker botnet
Analysis of the mother infector file is ongoing and further details will be posted on the TrendLabs blog.

One thought on “Look Out, Licat!

  1. Pingback: The Mutation of ZeuS | The ThreatSTOP Blog

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.