Oct 12, 2010 16:52 GMT  ·  By

Security researchers have confirmed their suspicion, that a recently discovered file infector dubbed Licat serves to make ZeuS infections more persistent.

Licat has the characteristics of a traditional virus, as it adds malicious code to all EXE, DLL and HTML files detected on an infected system.

However, the new threat also features an update mechanism based on an URL-generation algorithm, that is suspiciously similar to the one used by the Conficker worm.

Malware researchers from Trend Micro are now certain that Licat is dropped on computers by a new variant of the ZeuS trojan, which is delivered via infected websites.

Every time files infected by the virus are executed, the rogue code inside them generates URLs and attempt to contact them.

This method is used by attackers to serve new variants of Zbot (ZeuS Bot), which in turn drop new versions of Licat and the cycle repeats all over again.

"Upon analysis of the dropped file TSPY_ZBOT.BYZ, it was found that this ZeuS variant is actually both the starting point and final payload of this infection chain," the Trend Micro researchers, write.

"Studying TSPY_ZBOT.BYZ reveals that it decrypts and drops PE_LICAT.A-O onto an affected system. As such, it can be inferred that this was, indeed, a ZeuS-driven attack, with the file infection and URL generation technique used to prolong its lifespan," they conclude

Therefore, even if a ZeuS infection is cleaned, the computer can be reinfected if a single file affected by Licat remains behind and is later executed.

It's not clear if Licat is the creation of the main ZeuS authors, which sell the trojan generation toolkit on the undreground market.

It might be the work of one of the many ZeuS gangs or a separate group, which promotes it and leases it as a malware distribution platform.