Researchers at TrendLabs have blogged this morning about a new file infector virus known as Licat.a which appears to be be geographically and numerically widespread. Research into the malicious code is ongoing.

A file infector is malware which could be considered the most “classic” form of virus, one that seeks out other file types and injects its own code into these victim files. Whenever one of the infected files is opened this causes the malicious code to execute.

Licat seeks out .EXE, .DLL and .HTML files on infected system and modifies those files, adding its malicious routines.

When an infected file is opened, Licat will generate a series of 800 internet addresses in the format below. The pseudorandom alpha characters are generated using a randomizing function, which is computed from the current UTC system date and time.

http://{pseudorandom alpha characters}.biz/forum/
http://{pseudorandom alpha characters}.org/forum/
http://{pseudorandom alpha characters}.info/forum/
http://{pseudorandom alpha characters}.net/forum/
http://{pseudorandom alpha characters}.com/forum/.

It will then attempt to connect to each of these destinations to download and execute further components or other payloads. The last time similar behaviour to this was seen was in the infamous Conficker botnet.