W32.Licum Worm

[[AK]Hylander]

I posted this over on BBR, but thought I'd post here as well as maybe someone has some experience with this:

I'm having a small problem which just began over this past weekend. Norton is detecting W32.Licum on my PC and is popping up a window like crazy until I turn off autoprotect. I run a system scan in safe mode and it came up with 110 infections, and fixed 110. However, it is still popping up warnings.

Just a little background on my setup. I currently have 3 systems hooked up to my home lan. Im on DSL going through a router with NAT. UNIT-1 is my primary machine. It has Spybot Search and Destroy with latest updates, Norton AV 2005 with latest updates, XP Pro with service pack 2 and auto update on. I'm using Sygate Personal Firewall Pro. I did a system search for:

[»]utenti.lycos.it/[REMOVED]/dl.exe
[»]utenti.lycos.it/[REMOVED]/CBACK.EXE
[»]utenti.lycos.it/[REMOVED]/GAELICUM.EXE

per Symantec's website and it found nothing. I also used Google Desktop search and it found nothing. This system is my primary rig and has a "D" Archives drive. Weekly, the Archives drive is backed up to UNIT-2 using Genie Backup Manager Pro, which is a WinXP box (SP2 and autoupdate on) running Rhinosoft Serv-U Pro FTP server with a RAID 1 setup and has AVG Free Edition AV running along with Sygate Personal FireWall Pro. AVG is not picking up any problems on this system.

UNIT-3 is another WinXP Pro system my wife uses and I also have a VIVO card in it with my DirecTV pumped through it. It also has AVG Free Edition and Sygate Personal Firewall Pro. AVG is picking up nothing on this system as well.

Now, on UNIT-1 where Norton is telling me I have 110 infections, I could not see any unauthorized or strange applications trying to access my network or the internet. I got no warnings from Sygate PFP and doing ctrl-alt-del and looking through the processes I didn't see anything abnormal going on. When I just let the system sit and I'm not browsing, checking email, etc... I'm not seeing any abnormal access to the network other than Trillian Pro doing a periodic ping for connections.

So I guess after a long winded explanation my question is, has anyone else experienced or heard of people getting alot of false positive reads for W32.licum with Norton or can you see something I should be doing or checking that I'm missing?

Any help and advice is much appreciated.

PS - As I finished typing this I thought that I didn't turn system restore off prior to scanning, and I should probably do that and then another system scan.

Thanks,
Scott

[[AK]StitchJones]

Your in severe need of a pen and paper. You need to retire from computing.

[[AK]Hylander]

Your in severe need of a pen and paper. You need to retire from computing.

I just need to stop taking advice from people who work at Bank of America.

[[AK]StitchJones]

My bank is bigger then your bank (credit union). Your just jealous of my massive size.

[[AK]Hylander]

My bank is bigger then your bank (credit union). Your just jealous of my massive size.

I'm not jealous.. I'm quite thankful! You're poor customer service is one of our greatest marketing assets. You send many customers our way.

[[AK]StitchJones]

yeah,,,, welll.......... We have our LOGO AAAALLLLL over Yankee Stadium!

(man that was a weak comeback)

[[AK]Hylander]

Just a follow up to this, as it seems this worm has been spreading again lately according to some forums.

Anyways, I believe I'm completely "clean" now. It doesn't appear it ever spread beyond my primary PC, and although I was infected, I don't think it was ever able to do any damage, etc other than infect .exe files. Many people were complaining about not being able to log into WinXP, run any AV, use the Internet, etc. I was experiencing absolutely no problems, other than Norton detecting the infection. I think being completely patched up from MS, running Sygate Personal Firewall to keep any un-authorized outgoing throughput, Spybot S&D, and AV Software up to date helped mitigate my 'problem'.

I ended up just deleting all my Restore Points by turning it off in XP, reboot into Safe Mode and ran a cleaning tool from Grisoft (make AVG AV Software). It found the same 110 infections Norton did, and cleaned them. I then ran a Norton scan and it came up with nothing. I ran AVG Scans on both of my other PCs and it came up with nothing. Neither of those machines had any indications of being infected, but I wanted to make sure since I have scheduled backups from my primary machine's archive drive to the UNIT-2 FTP / File Server. I then let all 3 run again last night before I went to bed just to make sure and all 3 came up clean.

*fingers crossed*