W32.Licum


Aliases: Backdoor.Win32.Small.gl, Virus.Win32.Tenga.a, BackDoor-CTM, W32/Gael.worm.a, W32/Tenga-A
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 13 Jul 2005
Damage: Low

Characteristics: Win32.Licum is a worm that installs itself on Windows-running computers. It uses unpatched security flaws. It affects executable files and decreases system efficiency and Internet connection speed. It can also download and install other malicious parasites. It spreads by exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability

More details about W32.Licum

W32.Licum is a file-infecting worm. It may spread by exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability. This vulnerability is described in Microsoft Security Bulletin MS03-026. When W32.Licum is executed, it downloads the following files: dl.exe, cback.exe, and gaelicum.exe. At the time of writing, these files were not yet available. The worm checks for a connection on the vx9.users.freebsd.at domain. It may also infect files by appending its code to other executables. It then generates a random list of IP addresses and attempts to spread by exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability through TCP port 139. The malicious file can be removed completely using an updated virus scanner. Updating virus definitions ensures that the threat can be removed completely from the system.

The W32.Licumprogram may be spread via e-mail or instant messages. Users can access the file without knowing it is malicious in nature. It may also be downloaded from peer-to-peer file sharing networks and freeware and shareware websites. Other malicious software can also download this application. The software is often compressed and encrypted. This is done to prevent detection by anti-malware programs. Once it enters the system, the application is decrypted and launched.