F-Secure Virus Descriptions : Led
|
|
|
Fagled is an e-mail worm that beside a normal way of spreading
from Outlook uses a new one - spreading from its own webserver
that it opens on an infected computer. The worm is written in
Visual Basic and first appeared on January 22nd, 2002.
The worm usually comes in e-mails with different subject and
bodies and LED.EXE attachment. When a user clicks an attachment,
the worm is activated. Additionally, the worm sends messages to
IRC channels and MSN Messenger contacts of an infected user with
a link that points to a webpage where the worm's executable is
located.
When the worm is run from LED.EXE attachment the worm does the
following:
-*- Installs itself to system by copying its file to C:\Windows\
directory with LED.EXE name.
-*- Modifies Registry to start LED.EXE file every time Windows
starts.
-*- Scans user's hard disk. Fetches e-mail addresses from .DBX,
.MBX, .IDX files.
-*- Opens all .VBS files it can find on a hard disk.
-*- Deletes files from folders with the following names:
norton
zonelab
zonealarm
tbav
atguard
shopio
mcafee
mcaffee
bloodhaunt
kiddie
teen
-*- Opens a webserver on port 80 of an infected computer and
waits for connections. The worm looks for HTM and HTML files and
if finds DEFAULT.HTML or INDEX.HTML, it replaces them with their
own file that contains a fake warning message and also copies
itself as IENET.EXE into the same folder. When someone connects
to a webserver, the worm displays a fake warning message:
Plugin missing
Your browser is missing a plugin that is required to by this webpage
to view its content, you can download this plugin <here>
The <here> string points to http link to IENET.EXE file (which is
the worm's copy) on a user's hard disk. When a connected user
downloads and runs this file, his system becomes infected.
-*- Replaces SCRIPT.INI of Mirc client with its own one that will
repeatedly send messages to users (except Ops) in an IRC channel
where an infected user is present. The message will be like that:
I want you....HARD, http://<link>
The <link> will contain a path to a webserver that the worm opens
on an infected computer.
The worm does some other tricks with IRC like joining/opening its
own channels, sending notices and private messages and sometimes
auto-replying to them.
-*- Sends the following messages to all contacts of user's MSN
messenger:
PLEASE GO AS FAST AS POSSIBLE TO http://<link>
, I have NO time to explain but DO IT!
The <link> will contain a path to a webserver that the worm opens
on an infected computer.
-*- The worm connects to Outlook and sends itself (usually as
LED.EXE) to all e-mail addresses it located on an infected
system. The infected messages can contain one of the following:
Subject: urgent!! you sent me a virus
Body: Hi, I just received a email from you containing the W32/resudaB virus.
It looks like your computer is infected with this dangerious virus,
so i attached a cleaner to this e-mail to clean your computer from
the virus...
Subject: urgent!! you sent me a virus!
Body: Hi, I just received a email from you containing the highly destructive
<virusname> virus. It looks like your computer is infected with this
dangerious virus, so i attached a cleaner to this e-mail to clean your
computer from the virus...
The <virusname> is randomly selected from one of the following:
W32/ToagDipust
W32/LlehmorfTaog.C
W32/LOAeSui.A
W32/String.!erehemittaergagnivahmi
W32/BadTrans
W32/LED
W32/Matrix
W32/AOL
W32/CockRoach
W32/Dunno.k
Subject: Yo momma
Body: hey wassup?, check out this awwwesommmeee Yo momma joke
generator, really funny, check it out!!
Then goes one of the following strings:
Yo'momma so fat it say on her driver's license Picture continued on back!
Yo'momma so fat she can use Mt. Everest for a d*ldo!
Yo'momma so fat the highway patrol made her wear Caution! Wide Turn. !
Yo'momma so fat she has her own area code!
Yo'momma so fat she's got more Chins than a Hong Kong phone book!
Yo'momma so fat when a cop saw her he told her Hey you two break it up!
Yo'momma so fat when she sweats everyone around her wears raincoats!
Yo'momma so fat she wears two watches because she's in two time zones!
Yo'momma so fat she shaves her legs with a lawn mower!
Yomomma so fat her nickname is 'DAMN' !
These lines are followed by ', LOL' string.
Subject: You have been caught on account <user's account name>
Body: You have been caught by the FBI for your account abuse, your
local police office will contact you soon.
Subject: Why sex feels so good?
Body: ;)
Subject: LOL!
Body: <empty>
Subject: check out my ePhoto Album
Body: <empty>
Subject: haha
Body: <empty>
Subject: this is how you remind me, WHAT I REALLY AM,
I'm NOT LIKE YOU, SO SORRY!
-*- The worm sends itself with the following e-mail to
'webmaster@islam.com' and to 'master**@hotmail.com' ('**' is a
random number) e-mail addresses:
Subject: (_|_)
Body: Christianzzz rule
-*- The worm keeps a log of its activities in C:\xirtaM.txt file.
The log file has the following header:
W32/LED alias W32/Matrix --Log File--
Today is a good day to fire your admin
[The only AV vendor that receives respect is xxxxx, f*ck xxxxx and xxxxx
commercial fags.]
Greetz to the coders of nimdA, Code Red, BadTrans and Magistr.
The 'xxxxx' are the names of anti-virus vendors.
To get rid of the worm it's enough to delete its file from
Windows folder. If a file is locked by WIndows, it is recommended
to delete it from pure DOS (in case of Windows 9x system) or
rename with a different name and extension with immediate system
restart (in case of NT-based system).
F-Secure Anti-Virus detects Fagled worm with the updates
published on 23rd of January 2002.
[Analysis: Alexey Podrezov; F-Secure Corp.; January 24th, 2002]
|
![](/images/pixel.gif"){kind=tracking}
