Led

When the worm is run from LED.EXE attachment the worm does the following:

-*- Installs itself to system by copying its file to C:\Windows\ directory with LED.EXE name.

-*- Modifies Registry to start LED.EXE file every time Windows starts.

-*- Scans user's hard disk. Fetches email addresses from .DBX, .MBX, .IDX files.

-*- Opens all .VBS files it can find on a hard disk.

-*- Deletes files from folders with the following names:

norton zonelab zonealarm tbav atguard shopio mcafee mcaffee bloodhaunt kiddie teen

-*- Opens a webserver on port 80 of an infected computer and waits for connections. The worm looks for HTM and HTML files and if finds DEFAULT.HTML or INDEX.HTML, it replaces them with their own file that contains a fake warning message and also copies itself as IENET.EXE into the same folder. When someone connects to a webserver, the worm displays a fake warning message:

Plugin missing Your browser is missing a plugin that is required to by this webpage to view its content, you can download this plugin

The <here> string points to http link to IENET.EXE file (which is the worm's copy) on a user's hard disk. When a connected user downloads and runs this file, his system becomes infected.

-*- Replaces SCRIPT.INI of Mirc client with its own one that will repeatedly send messages to users (except Ops) in an IRC channel where an infected user is present. The message will be like that:

I want you....HARD, http://

The <link> will contain a path to a webserver that the worm opens on an infected computer.

The worm does some other tricks with IRC like joining/opening its own channels, sending notices and private messages and sometimes auto-replying to them.

-*- Sends the following messages to all contacts of user's MSN messenger:

PLEASE GO AS FAST AS POSSIBLE TO http:// , I have NO time to explain but DO IT!

The <link> will contain a path to a webserver that the worm opens on an infected computer.

-*- The worm connects to Outlook and sends itself (usually as LED.EXE) to all email addresses it located on an infected system. The infected messages can contain one of the following:

Subject: urgent!! you sent me a virus Body: Hi, I just received a email from you containing the W32/resudaB virus. It looks like your computer is infected with this dangerious virus, so i attached a cleaner to this email to clean your computer from the virus... Subject: urgent!! you sent me a virus! Body: Hi, I just received a email from you containing the highly destructive virus. It looks like your computer is infected with this dangerious virus, so i attached a cleaner to this email to clean your computer from the virus...

The <virusname> is randomly selected from one of the following:

Plugin missing Your browser is missing a plugin that is required to by this webpage to view its content, you can download this plugin

Then goes one of the following strings:

Plugin missing Your browser is missing a plugin that is required to by this webpage to view its content, you can download this plugin

These lines are followed by ', LOL' string.

Subject: You have been caught on account Body: You have been caught by the FBI for your account abuse, your local police office will contact you soon. Subject: Why sex feels so good? Body: ;) Subject: LOL! Body: Subject: check out my ePhoto Album Body: Subject: haha Body: Subject: this is how you remind me, WHAT I REALLY AM, I'm NOT LIKE YOU, SO SORRY!

-*- The worm sends itself with the following email to 'webmaster@islam.com' and to 'master**@hotmail.com' ('**' is a random number) email addresses:

Plugin missing Your browser is missing a plugin that is required to by this webpage to view its content, you can download this plugin

-*- The worm keeps a log of its activities in C:\xirtaM.txt file. The log file has the following header:

Plugin missing Your browser is missing a plugin that is required to by this webpage to view its content, you can download this plugin

The 'xxxxx' are the names of anti-virus vendors.