Led

Summary

Fagled is an e-mail worm that beside a normal way of spreading from Outlook uses a new one - spreading from its own webserver that it opens on an infected computer. The worm is written in Visual Basic and first appeared on January 22nd, 2002.

The worm usually comes in e-mails with different subject and bodies and LED.EXE attachment. When a user clicks an attachment, the worm is activated. Additionally, the worm sends messages to IRC channels and MSN Messenger contacts of an infected user with a link that points to a webpage where the worm's executable is located.

Disinfection & Removal

To get rid of the worm it's enough to delete its file from Windows folder. If a file is locked by WIndows, it is recommended to delete it from pure DOS (in case of Windows 9x system) or rename with a different name and extension with immediate system restart (in case of NT-based system).

Technical Details

When the worm is run from LED.EXE attachment the worm does the following:

-*- Installs itself to system by copying its file to C:\Windows\ directory with LED.EXE name.

-*- Modifies Registry to start LED.EXE file every time Windows starts.

-*- Scans user's hard disk. Fetches e-mail addresses from .DBX, .MBX, .IDX files.

-*- Opens all .VBS files it can find on a hard disk.

-*- Deletes files from folders with the following names:

	norton
	zonelab
	zonealarm
	tbav
	atguard
	shopio
	mcafee
	mcaffee
	bloodhaunt
	kiddie
	teen

-*- Opens a webserver on port 80 of an infected computer and waits for connections. The worm looks for HTM and HTML files and if finds DEFAULT.HTML or INDEX.HTML, it replaces them with their own file that contains a fake warning message and also copies itself as IENET.EXE into the same folder. When someone connects to a webserver, the worm displays a fake warning message:

	Plugin missing
	Your browser is missing a plugin that is required to by this webpage
	to view its content, you can download this plugin <here>

The <here> string points to http link to IENET.EXE file (which is the worm's copy) on a user's hard disk. When a connected user downloads and runs this file, his system becomes infected.

-*- Replaces SCRIPT.INI of Mirc client with its own one that will repeatedly send messages to users (except Ops) in an IRC channel where an infected user is present. The message will be like that:

	I want you....HARD, http://<link>

The <link> will contain a path to a webserver that the worm opens on an infected computer.

The worm does some other tricks with IRC like joining/opening its own channels, sending notices and private messages and sometimes auto-replying to them.

-*- Sends the following messages to all contacts of user's MSN messenger:

	PLEASE GO AS FAST AS POSSIBLE TO http://<link>
	 , I have NO time to explain but DO IT!

The <link> will contain a path to a webserver that the worm opens on an infected computer.

-*- The worm connects to Outlook and sends itself (usually as LED.EXE) to all e-mail addresses it located on an infected system. The infected messages can contain one of the following:

	Subject:	urgent!! you sent me a virus
	Body:	Hi, I just received a email from you containing the W32/resudaB virus.
    It looks like your computer is infected with this dangerious virus,
    so i attached a cleaner to this e-mail to clean your computer from
    the virus...
	Subject:	urgent!! you sent me a virus!
        Body:   Hi, I just received a email from you containing the highly destructive
    <virusname> virus. It looks like your computer is infected with this
    dangerious virus, so i attached a cleaner to this e-mail to clean your
    computer from the virus...

The <virusname> is randomly selected from one of the following:

	W32/ToagDipust
	W32/LlehmorfTaog.C
	W32/LOAeSui.A
	W32/String.!erehemittaergagnivahmi
	W32/BadTrans
	W32/LED
	W32/Matrix
	W32/AOL
	W32/CockRoach
	W32/Dunno.k
	Subject:	Yo momma
        Body:   hey wassup?, check out this awwwesommmeee Yo momma joke
    generator, really funny, check it out!!

Then goes one of the following strings:

	Yo'momma so fat it say on her driver's license Picture continued on back!
	Yo'momma so fat she can use Mt. Everest for a d*ldo!
	Yo'momma so fat the highway patrol made her wear Caution! Wide Turn. !
	Yo'momma so fat she has her own area code!
	Yo'momma so fat she's got more Chins than a Hong Kong phone book!
	Yo'momma so fat when a cop saw her he told her Hey you two break it up!
	Yo'momma so fat when she sweats everyone around her wears raincoats!
	Yo'momma so fat she wears two watches because she's in two time zones!
	Yo'momma so fat she shaves her legs with a lawn mower!
	Yomomma so fat her nickname is 'DAMN' !

These lines are followed by ', LOL' string.

	Subject:	You have been caught on account <user's account name>
        Body:   You have been caught by the FBI for your account abuse, your
    local police office will contact you soon.
	Subject:	Why sex feels so good?
	Body:	;)
	Subject:	LOL!
	Body:	<empty>
	Subject:	check out my ePhoto Album
	Body:	<empty>
	Subject:	haha
	Body:	<empty>
        Subject:        this is how you remind me, WHAT I REALLY AM,
I'm NOT LIKE YOU, SO SORRY!

-*- The worm sends itself with the following e-mail to 'webmaster@islam.com' and to 'master**@hotmail.com' ('**' is a random number) e-mail addresses:

	Subject:	(_|_)
	Body:	Christianzzz rule

-*- The worm keeps a log of its activities in C:\xirtaM.txt file. The log file has the following header:

	W32/LED alias W32/Matrix --Log File--
	Today is a good day to fire your admin
        [The only AV vendor that receives respect is xxxxx, f*ck xxxxx and xxxxx
        commercial fags.]
	Greetz to the coders of nimdA, Code Red, BadTrans and Magistr.

The 'xxxxx' are the names of anti-virus vendors.

Detection

F-Secure Anti-Virus detects Fagled worm with the updates published on 23rd of January 2002.

Technical Details: Alexey Podrezov; F-Secure Corp.; January 24th, 2002