McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Virus.Win32.Tenga.A (AVP)

• W32.Licum (Symantec)

Characteristics

This detection covers a parasitic worm virus that spreads to both host executables as well as over accessible systems on a network.  The worm also downloads and executes other files.

When run, the worm infects .EXE files on the local system, appending itself to host files.  10 threads are created to search for infectable computers on the Internet, SYN packets are sent to random IP addresses on TCP 139 (netbios).  The worm then attempts to connect to responding systems via the IPC$ and open shares to parasitically infect files remotely.

The worm also attempts to download and execute a file name dl.exe from utenti.lycos.it .  At the time of this writing the site was not responding.  However, the virus was known to fetch a downloader trojan, Downloader-ACX, which downloaded two other files:

• GAELICUM.EXE - dropper of W32/Gael.worm
• CBACK.EXE - a new remote access trojan, BackDoor-CTM

Symptoms

- Excessive netbios traffic emanating from infected system
- Presence of DL.EXE, GAELICUM.EXE, and CBACK.EXE

The virus does not create any registry keys or in any other way "install" itself to automatically start on system reboot.

Method of Infection

This virus spreads via accessible network shares and by parasitically infecting existng executable files.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Close the shares created by this threat:

• From the desktop, double-click My Computer
• Right-click on the C: drive and choose Sharing...
• Click the Not Shared button (or enter in the desired settings) and click OK

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Virus.Win32.Tenga.A (AVP)

• W32.Licum (Symantec)

Characteristics

Characteristics -

This detection covers a parasitic worm virus that spreads to both host executables as well as over accessible systems on a network.  The worm also downloads and executes other files.

When run, the worm infects .EXE files on the local system, appending itself to host files.  10 threads are created to search for infectable computers on the Internet, SYN packets are sent to random IP addresses on TCP 139 (netbios).  The worm then attempts to connect to responding systems via the IPC$ and open shares to parasitically infect files remotely.

The worm also attempts to download and execute a file name dl.exe from utenti.lycos.it .  At the time of this writing the site was not responding.  However, the virus was known to fetch a downloader trojan, Downloader-ACX, which downloaded two other files:

• GAELICUM.EXE - dropper of W32/Gael.worm
• CBACK.EXE - a new remote access trojan, BackDoor-CTM

Symptoms

Symptoms -

- Excessive netbios traffic emanating from infected system
- Presence of DL.EXE, GAELICUM.EXE, and CBACK.EXE

The virus does not create any registry keys or in any other way "install" itself to automatically start on system reboot.

Method of Infection

Method of Infection -

This virus spreads via accessible network shares and by parasitically infecting existng executable files.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Close the shares created by this threat:

• From the desktop, double-click My Computer
• Right-click on the C: drive and choose Sharing...
• Click the Not Shared button (or enter in the desired settings) and click OK

Variants

Variants -

N/A