Classification

Category: Malware

Type: -

Aliases: Led, Fagled, I-Worm.Fagled, W32/Fagled@MM

Summary


Fagled is an email worm that beside a normal way of spreading from Outlook uses a new one - spreading from its own webserver that it opens on an infected computer. The worm is written in Visual Basic and first appeared on January 22nd, 2002.

The worm usually comes in emails with different subject and bodies and LED.EXE attachment. When a user clicks an attachment, the worm is activated. Additionally, the worm sends messages to IRC channels and MSN Messenger contacts of an infected user with a link that points to a webpage where the worm's executable is located.

Removal


To get rid of the worm it's enough to delete its file from Windows folder. If a file is locked by WIndows, it is recommended to delete it from pure DOS (in case of Windows 9x system) or rename with a different name and extension with immediate system restart (in case of NT-based system).

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


When the worm is run from LED.EXE attachment the worm does the following:

-*- Installs itself to system by copying its file to C:\Windows\ directory with LED.EXE name.

-*- Modifies Registry to start LED.EXE file every time Windows starts.

-*- Scans user's hard disk. Fetches email addresses from .DBX, .MBX, .IDX files.

-*- Opens all .VBS files it can find on a hard disk.

-*- Deletes files from folders with the following names:

	norton 	zonelab 	zonealarm 	tbav 	atguard 	shopio 	mcafee 	mcaffee 	bloodhaunt 	kiddie 	teen

-*- Opens a webserver on port 80 of an infected computer and waits for connections. The worm looks for HTM and HTML files and if finds DEFAULT.HTML or INDEX.HTML, it replaces them with their own file that contains a fake warning message and also copies itself as IENET.EXE into the same folder. When someone connects to a webserver, the worm displays a fake warning message:

	Plugin missing 	Your browser is missing a plugin that is required to by this webpage 	to view its content, you can download this plugin   

The <here> string points to http link to IENET.EXE file (which is the worm's copy) on a user's hard disk. When a connected user downloads and runs this file, his system becomes infected.

-*- Replaces SCRIPT.INI of Mirc client with its own one that will repeatedly send messages to users (except Ops) in an IRC channel where an infected user is present. The message will be like that:

	I want you....HARD, http://  

The <link> will contain a path to a webserver that the worm opens on an infected computer.

The worm does some other tricks with IRC like joining/opening its own channels, sending notices and private messages and sometimes auto-replying to them.

-*- Sends the following messages to all contacts of user's MSN messenger:

	PLEASE GO AS FAST AS POSSIBLE TO http:// 	 , I have NO time to explain but DO IT!  

The <link> will contain a path to a webserver that the worm opens on an infected computer.

-*- The worm connects to Outlook and sends itself (usually as LED.EXE) to all email addresses it located on an infected system. The infected messages can contain one of the following:

	Subject:	urgent!! you sent me a virus 	Body:	Hi, I just received a email from you containing the W32/resudaB virus.     It looks like your computer is infected with this dangerious virus,     so i attached a cleaner to this email to clean your computer from     the virus... 	Subject:	urgent!! you sent me a virus!         Body:   Hi, I just received a email from you containing the highly destructive      virus. It looks like your computer is infected with this     dangerious virus, so i attached a cleaner to this email to clean your     computer from the virus...  

The <virusname> is randomly selected from one of the following:

	Plugin missing 	Your browser is missing a plugin that is required to by this webpage 	to view its content, you can download this plugin
 

Then goes one of the following strings:

	Plugin missing 	Your browser is missing a plugin that is required to by this webpage 	to view its content, you can download this plugin
 

These lines are followed by ', LOL' string.

	Subject:	You have been caught on account          Body:   You have been caught by the FBI for your account abuse, your     local police office will contact you soon. 	Subject:	Why sex feels so good? 	Body:	;) 	Subject:	LOL! 	Body:	 	Subject:	check out my ePhoto Album 	Body:	 	Subject:	haha 	Body:	         Subject:        this is how you remind me, WHAT I REALLY AM, I'm NOT LIKE YOU, SO SORRY!  

-*- The worm sends itself with the following email to 'webmaster@islam.com' and to 'master**@hotmail.com' ('**' is a random number) email addresses:

	Plugin missing 	Your browser is missing a plugin that is required to by this webpage 	to view its content, you can download this plugin
 

-*- The worm keeps a log of its activities in C:\xirtaM.txt file. The log file has the following header:

	Plugin missing 	Your browser is missing a plugin that is required to by this webpage 	to view its content, you can download this plugin
 

The 'xxxxx' are the names of anti-virus vendors.