Licum Virus

This virus (they call it a trojan - I have no idea why) was reported in 2005. Microsoft *fixed* the security hole in 2003 (according to Symantec).

As usual, this parasite has many names - W32.Licum (Symantec) W32/Gael.worm.a (McAfee) Virus.Win32.Tenga.a (kaspersky)

The infected system was running a version of Trend Micro that was supposed to find this - and to some extent, it did - but not until over 400 exe files had been modified. At that point, the "anti-virus" software started quarantining the infected files. That is totally worthless, how about protecting the system?

The "risk" for this virus is classified as low

I have a laptop with the virus - so much for "not in the field" - and over 400 files destroyed - I think that qualifies as "dangerous".

Symantec claims

Damage | The Error Message | Possible Fix | Notes on the Infection | Summary

System Damage

Of over 2,000 exe files, only about 400 were infected.

Some may continue to work ... however, many don't. For instance, the system will no longer install new programs, System Restore is disabled, and the event log won't display anything even though the files exist.

You can identify infected files by searching (using AgentRansack) for the following

Any exe file containing that string is infected.

It is curious that many windows function won't work even though none of the obviously infected files are located in the windows directory. Normally, that would imply a secondary infection, but reviewing the data indicates that licum appeared on the system at the same time symptoms appeared.

The Error Message

Some (but not all) of the infected programs produced the following error message. I created this page specifically because searching for this message found nothing related to the virus - all I could find was about some dvd problem.

Possible Fix

Here is a possible fix

  1. On a clean XP SP2 machine, download the Microsoft Malicious Software Removal Tool.
  2. Burn the removal tool to a CD, include a copy of C:\windows\system32\userinit.exe
  3. Boot the infected machine in safe mode and run the removal tool from the CD. Let it do it's thing but...
  4. Bring up the task manager and kill the 'userinit' process. Overwrite the current c:\windows\system32\userinit.exe file with the clean one on the CD.
  5. Now reboot and enjoy.

Notes on the Infection

The infected system (which belongs to a friend) was connected to the internet via a telephone modem. The system is running XP service pack 2 - but was not completely up to date. The Microsoft Windows firewall was supposedly running as was TrendMicro antivirus.

Based on file dates, initially only one file on the main system was infected. Two days later, 2 more files were infected. Two day later, 430 files were infected with in about a 30 minute window.

Two days later, 2 more computers on the same network were infected.

In each case, the computer lost the ability to install new software.

I always advise people to use a router to connect to the internet ... but that was not a simple option in this case. In order to do that, one computer would have to be dedicated as the modem connection and a router would have to go on its output - thus this configuration would have become a $600 router.

And besides, he had the Microsoft firewall enabled and he was running antivirus software. (Maybe that's why they call it a trojan - the software only detects viruses.)

Several of the pages linked to above give the addresses of the exe files downloaded by this virus and indicate that those files are no longer available. I have verified that myself - the 3 exe files related to this virus are no longer at the site encoded in the infected exe's. Apparently, those files are used only when spreading the virus via a web page - obviously other methods are still being used.


This is a very nasty virus that will destroy every exe file on your hard drive and then automatically spread to other systems on your network.

Paying for professional protection will not protect you.

At least removal is easy - just erase the hard drive and start over.

Author: Robert Clemenzi
URL: http:// / Parasites / Licum.html