Government Security
Network Security Resources

Jump to content

Photo

Polymorphic Virus

- - - - - virus
  • Please log in to reply
3 replies to this topic

#1 haibt

haibt

    Private

  • Members
  • 5 posts

Posted 07 October 2010 - 06:14 PM

This virus attacks similar to the way of conficker
more infomation: http://threatinfo.tr...Name=PE_LICAT.A
If anyone get the sample. Please post it here,


#2 webdevil

webdevil

    Retired GSO General

  • Sergeant Major
  • 1,195 posts

Posted 08 October 2010 - 12:51 AM

Conficker was a worm. This is a malware.
With the limited details, I don't see anything polymorphic in this as well.

#3 haibt

haibt

    Private

  • Members
  • 5 posts

Posted 08 October 2010 - 08:22 PM


Analysis of the PE_LICAT.A file infector has revealed further information on this emerging threat.

We have been able to isolate a copy of the main file infector, which we detect as PE_LICAT.A-O. (A main file infector is a file infector which triggers the process of infecting files, but is not infected itself.) It injects itself into the Explorer.exe process, which has two effects. First, it becomes memory resident. Secondly, any file executed afterwards becomes infected with malicious code and is detected as PE_LICAT.A.

We have looked into the pseudorandom domains that LICAT uses to download files from. Every time PE_LICAT.A is executed it attempts to download files from these domains, trying to do so a maximum of 800 times.

The following top-level domains are used by these created domains:

  • biz
  • com
  • info
  • org
  • net
Our monitoring indicates that most of these domains have not been registered. A small number have been registered, and although some of the sites these actually lead to are currently inaccessible, some are still alive and active. As a precaution, all related sites have now been classified as malicious and blocked by Trend Micro.

These domains appear to link PE_LICAT and ZeuS. Several of the domains that PE_LICAT was scheduled to download files from in late September are confirmed to be known ZeuS domains in that period. One of these domains, {BLOCKED}klklmssrr.com, was registered approximately one week before it would have been used by PE_LICAT. Another domain was hosted on an ISP that has seen significant levels of ZeuS-related activity in the past, and is a known haven for cybercrime.

We were able to obtain a sample from these LICAT-related domains, which we currently detect as TSPY_ZBOT.BYZ. The downloder file shows certain behavior often associated with ZeuS. However, downloader capability is not a functionality seen in ZeuS to date, therefore further analysis is taking place on this file. The file drops a copy of the main file infector, PE_LICAT.A-O. Files exhibiting similar behavior to the downloader will be proactively detected as TSPY_ZBOT.SMEQ.

PE_LICAT infections appear to have hit the North American and European regions hardest, with Latin America the lightest hit according to our Smart Protection Network™ feedback.

Trend Micro protects product users from this attack via the Trend Micro™ Smart Protection Network™. The domains generated by PE_LICAT are being analyzed in real-time and blocked as necessary. In addition, infected files are being detected and cleaned as well.


Read more: http://blog.trendmic.../#ixzz11peg5dFl

#4 infiltrator

infiltrator

    Staff Sergeant

  • Sergeant Major
  • 421 posts

Posted 09 October 2010 - 06:50 AM

This worm may even be considered a high security risk for users, but it s no where near to being a polymorphic worm.
Though, It has some interesting features like a backdoor and keystroke logger.

http://www.threatexp...LICAT.A&x=9&y=8





Also tagged with one or more of these keywords: virus