LICAT
Murofet, Zbot
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: File infector
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Infects files, Downloaded from the Internet, Spammed via email
LICAT are file infectors that exhibit ZEUS behaviors. Seen during the last quarter of 2010, these file infectors spread by infecting .EXE files. Some recent variants were seen to be distributed via spam.
One notable behavior of this family is that it generates domain names based on the current Coordinated Universal Time (UTC), a known behavior of CONFICKER.
TECHNICAL DETAILS
Yes
Connects to URLs/IPs, Steals information
Installation
This file infector drops the following file(s)/component(s):
- %Application Data%\{random2}\{random}.{3 random alpha character extension name}
- %User Temp%\{random}.TMP
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
It drops the following copies of itself into the affected system:
- %Application Data%\{random1}\{random}.exe
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
It creates the following folders:
- %Application Data%\{random1}
- %Application Data%\{random2}
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
Autostart Technique
This file infector adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{GUID} = "%Application Data%\{random1}\{random}.exe"
Other System Modifications
This file infector adds the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\
{random}
Other Details
This file infector connects to the following possibly malicious URL:
- http://{pseudorandom alpha characters}.biz/forum/
- http://{pseudorandom alpha characters}.org/forum/
- http://{pseudorandom alpha characters}.info/forum/
- http://{pseudorandom alpha characters}.net/forum/
- http://{pseudorandom alpha characters}.com/forum/