14 DAY TRIAL // Security researchers from Trend Micro warn of a new file infector, which uses an update technique similar to the Conficker worm and is able to download additional malware.
Dubbed PE_LICAT.A, the malware is a traditional virus, in the sense that it spreads by appending malicious code to legit files found on the infected system.
In LICAT's case, the targeted file types are EXE, DLL and HTML and the Trend Micro researchers explain that every time one of the infected files gets executed, the rogue code generates an unique URL and attempts to contact it.
If the connection fails, it repeats the while procedure for 800 times, the domain name generation algorithm making use of the system's current UTC date and time.
This technique allows the LICAT's creators to know what URLs the infected computers will access on a certain date, so they can register the domains in advance.
However, if the connection is successful, the virus downloads a payload located at that address and executes it.
This routine allows it to receive updates, but also to function as a malware distribution platform in a way that trojan downloaders do.
"Based on PE_LICAT.A's code, the downloaded files are first validated before executed, which is the same technique WORM_DOWNAD (Conficker) employed," Jasper Manuel, threat response engineer at Trend, warns.
According to Rik Ferguson, solutions architect with the company, the PE_LICAT.A infections are widespread both geographically and numerically.
So far, North America seems to be the most affected region, with Europe, Middle East and Africa second, and Asia Pacific third.
The most prevalent family of file infectors at the moment is called Sality and some of its variants have the bad habit of corrupting files beyond repair.
Sality constantly appears at the top of malware statistics, but not because of unique infected computers, like Conficker, but because a single infected system can contain hundreds of affected files.