Trend Micro Detects Fresh Variant of LICAT File-Infector
Security researchers from Trend Micro the security company are cautioning that one fresh variant of the malicious LICAT program has been identified that leads onto the Trojan Zeus.
According to these researchers, the latest LICAT version produces additional domains, as a result, the domains become twofold in number, which researchers have to identify, while simultaneously stop the malicious program from causing further harm. Esecurityplanet.com published this on December 6, 2010.
Moreover, the researchers outline that the fresh LICAT sample is a Trojan that infects files and is closely related to Zeus. It hunts for .exe extension files on contaminated computers that then modifies in order that on opening those modified files, the malware is able to produce 800 IP addresses that bear characters of pseudo-random nature. Subsequently, LICAT tries to link up with all these addresses for pulling down and running more malware, the researchers add.
Meanwhile, the Trend Micro investigator who first detected the LICAT-Zeus association during October 2010 observes that a few domains out of the total that LICAT produced seem to be unregistered or dormant, whereas a few are active, which can mean trouble spotting as well as stopping the malicious program from doing further harm.
State the researchers that there's one basic differentiation between the original and new variant's codes and that is with respect to their XOR key. While the original variant utilized 0xD6D7A4BE, the new variant utilizes 0xDEADC2DE.
The malware analysts explained that the DGA (domain generation algorithm) of the earlier LICAT version utilized an identical XOR key two times: once on the location of its configuration program, second during downloading updated/new variants. Softpedia.com published this on December 3, 2010.
But the analysts note that the latest LICAT version utilizes different keys both of which don't adopt the original version's value.
Conclusively, Trend Micro anticipates that additional LICAT samples having separate XOR keys are likely to emerge during the extended future. Reports the company, it has detected the latest version as PE_LICAT.B-O, while the patched versions are PE_LICAT.B, with both displaying the same behavior as of PE_LICAT.A although their domain production behaviors are different.
Related article: Trend Micro Detects Spam Mail Declaring World War III
» SPAMfighter News - 17-12-2010