Threat Description

Led

Details

Aliases: Led, Fagled, I-Worm.Fagled, W32/Fagled@MM
Category: Malware
Type:
Platform: W32

Summary


Fagled is an e-mail worm that beside a normal way of spreading from Outlook uses a new one - spreading from its own webserver that it opens on an infected computer. The worm is written in Visual Basic and first appeared on January 22nd, 2002.

The worm usually comes in e-mails with different subject and bodies and LED.EXE attachment. When a user clicks an attachment, the worm is activated. Additionally, the worm sends messages to IRC channels and MSN Messenger contacts of an infected user with a link that points to a webpage where the worm's executable is located.



Removal


To get rid of the worm it's enough to delete its file from Windows folder. If a file is locked by WIndows, it is recommended to delete it from pure DOS (in case of Windows 9x system) or rename with a different name and extension with immediate system restart (in case of NT-based system).



Technical Details


When the worm is run from LED.EXE attachment the worm does the following:

-*- Installs itself to system by copying its file to C:\Windows\ directory with LED.EXE name.

-*- Modifies Registry to start LED.EXE file every time Windows starts.

-*- Scans user's hard disk. Fetches e-mail addresses from .DBX, .MBX, .IDX files.

-*- Opens all .VBS files it can find on a hard disk.

-*- Deletes files from folders with the following names:

	norton 	zonelab 	zonealarm 	tbav 	atguard 	shopio 	mcafee 	mcaffee 	bloodhaunt 	kiddie 	teen  

-*- Opens a webserver on port 80 of an infected computer and waits for connections. The worm looks for HTM and HTML files and if finds DEFAULT.HTML or INDEX.HTML, it replaces them with their own file that contains a fake warning message and also copies itself as IENET.EXE into the same folder. When someone connects to a webserver, the worm displays a fake warning message:

	Plugin missing 	Your browser is missing a plugin that is required to by this webpage 	to view its content, you can download this plugin   

The <here> string points to http link to IENET.EXE file (which is the worm's copy) on a user's hard disk. When a connected user downloads and runs this file, his system becomes infected.

-*- Replaces SCRIPT.INI of Mirc client with its own one that will repeatedly send messages to users (except Ops) in an IRC channel where an infected user is present. The message will be like that:

	I want you....HARD, http://  

The <link> will contain a path to a webserver that the worm opens on an infected computer.

The worm does some other tricks with IRC like joining/opening its own channels, sending notices and private messages and sometimes auto-replying to them.

-*- Sends the following messages to all contacts of user's MSN messenger:

	PLEASE GO AS FAST AS POSSIBLE TO http:// 	 , I have NO time to explain but DO IT!  

The <link> will contain a path to a webserver that the worm opens on an infected computer.

-*- The worm connects to Outlook and sends itself (usually as LED.EXE) to all e-mail addresses it located on an infected system. The infected messages can contain one of the following:

	Subject:	urgent!! you sent me a virus 	Body:	Hi, I just received a email from you containing the W32/resudaB virus.     It looks like your computer is infected with this dangerious virus,     so i attached a cleaner to this e-mail to clean your computer from     the virus... 	Subject:	urgent!! you sent me a virus!         Body:   Hi, I just received a email from you containing the highly destructive      virus. It looks like your computer is infected with this     dangerious virus, so i attached a cleaner to this e-mail to clean your     computer from the virus...  

The <virusname> is randomly selected from one of the following:

	W32/ToagDipust 	W32/LlehmorfTaog.C 	W32/LOAeSui.A 	W32/String.!erehemittaergagnivahmi 	W32/BadTrans 	W32/LED 	W32/Matrix 	W32/AOL 	W32/CockRoach 	W32/Dunno.k 	Subject:	Yo momma         Body:   hey wassup?, check out this awwwesommmeee Yo momma joke     generator, really funny, check it out!!  

Then goes one of the following strings:

	Yo'momma so fat it say on her driver's license Picture continued on back! 	Yo'momma so fat she can use Mt. Everest for a d*ldo! 	Yo'momma so fat the highway patrol made her wear Caution! Wide Turn. ! 	Yo'momma so fat she has her own area code! 	Yo'momma so fat she's got more Chins than a Hong Kong phone book! 	Yo'momma so fat when a cop saw her he told her Hey you two break it up! 	Yo'momma so fat when she sweats everyone around her wears raincoats! 	Yo'momma so fat she wears two watches because she's in two time zones! 	Yo'momma so fat she shaves her legs with a lawn mower! 	Yomomma so fat her nickname is 'DAMN' !  

These lines are followed by ', LOL' string.

	Subject:	You have been caught on account          Body:   You have been caught by the FBI for your account abuse, your     local police office will contact you soon. 	Subject:	Why sex feels so good? 	Body:	;) 	Subject:	LOL! 	Body:	 	Subject:	check out my ePhoto Album 	Body:	 	Subject:	haha 	Body:	         Subject:        this is how you remind me, WHAT I REALLY AM, I'm NOT LIKE YOU, SO SORRY!  

-*- The worm sends itself with the following e-mail to 'webmaster@islam.com' and to 'master**@hotmail.com' ('**' is a random number) e-mail addresses:

	Subject:	(_|_) 	Body:	Christianzzz rule  

-*- The worm keeps a log of its activities in C:\xirtaM.txt file. The log file has the following header:

	W32/LED alias W32/Matrix --Log File-- 	Today is a good day to fire your admin         [The only AV vendor that receives respect is xxxxx, f*ck xxxxx and xxxxx         commercial fags.] 	Greetz to the coders of nimdA, Code Red, BadTrans and Magistr.  

The 'xxxxx' are the names of anti-virus vendors.



Detection


F-Secure Anti-Virus detects Fagled worm with the updates published on 23rd of January 2002.



Technical Details:Alexey Podrezov; F-Secure Corp.; January 24th, 2002


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More