Murofet, Zbot


Windows 2000, Windows XP, Windows Server 2003


  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes


Infection Channel: Infects files, Downloaded from the Internet, Spammed via email

LICAT are file infectors that exhibit ZEUS behaviors. Seen during the last quarter of 2010, these file infectors spread by infecting .EXE files. Some recent variants were seen to be distributed via spam.

One notable behavior of this family is that it generates domain names based on the current Coordinated Universal Time (UTC), a known behavior of CONFICKER.


Memory Resident: Yes
Payload: Connects to URLs/IPs, Steals information


This worm drops the following file(s)/component(s):

  • %Application Data%\{random2}\{random}.{3 random alpha character extension name}
  • %User Temp%\{random}.TMP

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

  • %Application Data%\{random1}\{random}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It creates the following folders:

  • %Application Data%\{random1}
  • %Application Data%\{random2}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

{GUID} = "%Application Data%\{random1}\{random}.exe"

Other System Modifications

This worm adds the following registry keys:


Other Details

This worm connects to the following possibly malicious URL:

  • http://{pseudorandom alpha characters}.biz/forum/
  • http://{pseudorandom alpha characters}.org/forum/
  • http://{pseudorandom alpha characters}.info/forum/
  • http://{pseudorandom alpha characters}.net/forum/
  • http://{pseudorandom alpha characters}.com/forum/