This virus (they call it a trojan - I have no idea why) was reported in 2005. Microsoft *fixed* the security hole in 2003 (according to Symantec).

As usual, this parasite has many names - W32.Licum (Symantec) W32/Gael.worm.a (McAfee) Virus.Win32.Tenga.a (kaspersky)

The infected system was running a version of Trend Micro that was supposed to find this - and to some extent, it did - but not until over 400 exe files had been modified. At that point, the "anti-virus" software started quarantining the infected files. That is totally worthless, how about protecting the system?

The "risk" for this virus is classified as low

This classification is for viruses that may not yet have been reported in the field and may not have a dangerous payload. (McAfee)

Symantec claims

     Removal: Easy 
Damage Level: Low 

Some may continue to work ... however, many don't. For instance, the system will no longer install new programs, System Restore is disabled, and the event log won't display anything even though the files exist.

You can identify infected files by searching (using AgentRansack) for the following

utenti.lycos.it

It is curious that many windows function won't work even though none of the obviously infected files are located in the windows directory. Normally, that would imply a secondary infection, but reviewing the data indicates that licum appeared on the system at the same time symptoms appeared.

Only part of a ReadProcessMemory or WriteProcessMemory request was completed. 

Here is a possible fix

1. On a clean XP SP2 machine, download the Microsoft Malicious Software Removal Tool.
2. Burn the removal tool to a CD, include a copy of C:\windows\system32\userinit.exe
3. Boot the infected machine in safe mode and run the removal tool from the CD. Let it do it's thing but...
   !!!DON'T restart the machine at the end like it asks!!!
4. Bring up the task manager and kill the 'userinit' process. Overwrite the current c:\windows\system32\userinit.exe file with the clean one on the CD.
5. Now reboot and enjoy.

Based on file dates, initially only one file on the main system was infected. Two days later, 2 more files were infected. Two day later, 430 files were infected with in about a 30 minute window.

Two days later, 2 more computers on the same network were infected.

In each case, the computer lost the ability to install new software.

I always advise people to use a router to connect to the internet ... but that was not a simple option in this case. In order to do that, one computer would have to be dedicated as the modem connection and a router would have to go on its output - thus this configuration would have become a $600 router.

And besides, he had the Microsoft firewall enabled and he was running antivirus software. (Maybe that's why they call it a trojan - the software only detects viruses.)

Several of the pages linked to above give the addresses of the exe files downloaded by this virus and indicate that those files are no longer available. I have verified that myself - the 3 exe files related to this virus are no longer at the site encoded in the infected exe's. Apparently, those files are used only when spreading the virus via a web page - obviously other methods are still being used.

Paying for professional protection will not protect you.

At least removal is easy - just erase the hard drive and start over.

URL: http:// mc-computing.com / Parasites / Licum.html