1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: W32.Licum Activity

System Infected: W32.Licum Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects W32.Licum activity on compromised machine.

Additional Information

When executed, the worm creates the following mutex to ensure that it is the only copy of the threat running on the compromised computer:
gaelicum

The worm then attempts to download files from the following URLs:

[http://]utenti.lycos.it/vx9/dl.[REMOVED]
[http://]utenti.lycos.it/vx9/CBAC[REMOVED]
[http://]utenti.lycos.it/vx9/GAELIC[REMOVED]


The worm may also connect to the following network address to open a back door:
vx9.users.freebsd.at

The worm injects itself into the following process to disable Windows File Protection:
winlogon.exe

The worm then generates a random list of IP addresses and may spread by exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID 8205) through TCP port 139.

The worm infects executable files on the compromised computer.

Affected

  • All windows platforms
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube