New Virus Affecting Trend Micro OfficeScan Users

Trend Micro posted a malware report in their threat blog about a new virus that is affecting users. The virus named PE_LICAT.A, also known as Murofet to their competitors, has similarities with Conficker in the way it downloads files from the web.

Users of Trend Micro’s OfficeScan, an enterprise product, reported on 6th of October in the Trend Micro forum about a virus outbreak in their corporate computers. It reported that PE_LICAT.A had infected almost all executable files in their file servers and workstations including Microsoft Office applications numbering to at least 300 files. Users were skeptical at first that latest released definition was causing false positives since no major competitors are detecting the computer virus. There were also suggestions to roll back the definition update until the bug fix is deployed. But further investigation showed that the detection is being tagged correctly by Trend Micro specialists.

The virus uses Crypt APIs from Microsoft’s dynamic link library for Advance Services, namely the ADVAPI32.DLL, to generate a key based on the infected computer’s time. The key it generated is then used by the virus algorithm to generate a domain name. The virus does this in hope that when it connects to the domain at a specific time and date, its creator or creators had already hosted the malicious file in advance. It only connects to websites having a domain name extension of biz, info, org, net, and com.

The size of the virus code is only 2048 bytes which it inserts between the code area and data area of the executable file, this type of code insertion is also known as cavity infection. Some telltale sign of infection is that when an application, that does not need internet access, connects to the internet like an infected Windows’ calc.exe. It infects all executable files in the computer to have a high chance of connecting to the randomly generated URL at any time. It creates a thread which it uses to connect to the random URLs which allows the malicious code to run at the background of the infected application.

It is still unknown how the customer’s corporate servers were infected. Reports of infection suggests that North America is the worst hit, while Europe, Middle East, Africa (EMEA region) come in at second and Asia Pacific (APAC region) the least targeted by the virus.

This virus can somehow be attributed with the 10/10/10 virus that has been rumored to strike all computers on October 10, 2010. The relation of the date might reveal that the person(s) who is/are spreading the rumor can possibly be the one who created PE_LICAT.A. Provided that PE_LICAT.A was not thwarted and the 10/10/10 virus rumor is actually related with PE_LICAT.A, then there’s possibility that the virus will download a file at URL opkjmmktkvvyqmm.biz/forum/ which it will execute afterward.

Until the next variant arrives, users can check if they are infected by PE_LICAT.A by downloading Wireshark network monitoring tool. Running the tool in an infected computer will show TCP requests to a URL that looks like it has been generated randomly. Users of infected computers are advised to update their antivirus and antispyware definitions to clean their computers. For undetected files, they can help by sending the suspected infected sample to their antivirus vendor of their choice for analysis.