Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Fagled.A

Win32/Fagled.A is a worm written in Visual Basic.  It is 110592 bytes in size.  It spreads as an email file attachment.  The name of the file in the attachment may be changed as well as the message subject and text.  If the message has a subject one of the following texts is used:

• Why sex feels so good?
• check out my ePhoto Album
• haha
• this is how you remind me, WHAT I REALLY AM, I'm NOT LIKE YOU, SO SORRY!

the message body does not contain any text.  If the message subject is "urgent!! you sent me a virus"  the message body is formed by the following text:

Hi, I just received a email from you containing the W32/resudaB virus.
It looks like your computer is infected with this dangerious virus, so i attached a cleaner to this e-mail to clean your computer from the virus...

The second variant of the message body with the same message subject is the text:

Hi, I just received a email from you containing the highly destructive XXXXX virus.
It looks like your computer is infected with this dangerious virus, so i attached a cleaner to this e-mail to clean your computer from the virus...

Instead of letters XXXXX one of the following strings appears:

• W32/ToagDipust
• W32/LlehmorfTaog.C
• W32/LOAeSui.A
• W32/String.
• W32/BadTrans
• W32/LED
• W32/Matrix
• W32/AOL
• W32/CockRoach
• W32/Dunno.k

If the message has subject "You have been caught on account XXXXX"  the message body is formed by the text:

You have been caught by the FBI for your account abuse, your local police office will contact you soon.

Instead of letters XXXXX name of the account is fulfilled.  The last option of the message subject form is "Yo momma".  In this case the message body is formed by the following text:

hey wassup?, check out this awwwesommmeee Yo momma joke generator, really funny, check it out!!

After this sentence follows another one which the worm chooses from the following options:

• Yo'momma so fat it say on her driver's license Picture continued on back!
• Yo'momma so fat she can use Mt. Everest for a dildo!
• Yo'momma so fat the highway patrol made her wear Caution! Wide Turn. !
• Yo'momma so fat she has her own area code!
• Yo'momma so fat she's got more Chins than a Hong Kong phone book!
• Yo'momma so fat she shaves her legs with a lawn mower!
• Yo'momma so fat when a cop saw her he told her Hey you two break it up!
• Yo'momma so fat when she sweats everyone around her wears raincoats!
• Yo'momma so fat she wears two watches because she's in two time zones!

When the worm is run it sends out copies to addresses found in the mail client's address book and finally it sends out an email to the account on the server hotmail.com.  Subject of this message is (_|_) and in its body the text Christianzzz rule is contained.  Then the worm searches the disks for files with names Default.html and Index.html and overwrites them by HTML code which displays the text:

Your browser is missing a plugin that is quired to by this webpage to view its content, you can download this plugin here.

At the same time the worm offers for download the file ienet.exe which it creates in the given directory.  In addition to spreading by means of email the worm spreads also by means of the client for IRC mIRC.  If it finds the file Script.ini it modifies it so that all users of the same channel are sent a notice informing on web pages from which the worm copy can be downloaded. The worm is able to send a similar notice also by means of the program MSN Messenger.  The local copy of the worm is present in C:\windows\led.exe.  The worm ensures its activation by creating a key in the system registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run with value "W32/LED"="C:\\windows\\led.exe".  On disk C in the root directory the worm creates the log file Xirtam.txt in which it stores data on its activities.  The contents of the log file look roughly as follows:

W32/LED alias W32/Matrix --Log File--
"Today is a good day to fire your admin"

[The only AV vendor that receives respect is Sophos, fuck XXXXXX and XXXXXXX commercial fags.]

Greetz to the coders of nimdA, Code Red, BadTrans and Magistr.
Preparing arrays and starting winsock.
Helping kiddie: C:\!UDICKY\HTML\ESET.VBS
Helping kiddie: C:\WINDOWS\SAMPLES\WSH\CHART.VBS
Helping kiddie: C:\WINDOWS\SAMPLES\WSH\EXCEL.VBS
Helping kiddie: C:\WINDOWS\SAMPLES\WSH\NETWORK.VBS
Helping kiddie: C:\WINDOWS\SAMPLES\WSH\REGISTRY.VBS
Helping kiddie: C:\WINDOWS\SAMPLES\WSH\SHORTCUT.VBS
Helping kiddie: C:\WINDOWS\SAMPLES\WSH\SHOWVAR.VBS
Spreading to MSN Messenger (if installed).
The Delivery finished, Connecting to Microsoft to decode channel...

W32/LED alias W32/Matrix --Log File--
"Today is a good day to fire your admin"

[The only AV vendor that receives respect is Sophos, fuck XXXXXX and XXXXXX commercial fags.]

Greetz to the coders of nimdA, Code Red, BadTrans and Magistr.
Preparing arrays and starting winsock.
Spreading to MSN Messenger (if installed).
Spreading to MSN Messenger (if installed).
The Delivery finished, Connecting to Microsoft to decode channel...
Spreading to MSN Messenger (if installed).
ft to decode channel...
The Delivery finished, Connecting to Microsoft to decode channel...
Spreading to MSN Messenger (if installed).
The Delivery finished, Connecting to Microsoft to decode channel...

The worm body contains a lot of texts, for example:

next lines may make history books eheheh , W32/LED-' One small step for a 17 year old, 1 giant fuckin' chaos for the Internet over and out

At the end of its activity the worm runs all scripts in Visual Basic Script which it is able to find.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.