Home / malwarePDF  

Win32.Led.A@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Led.A@mm is also known as W32/Fagled@MM, (McAffee.

Explanation :

The virus comes usually as an attached executable in an e-mail with the following formats:

Subject: Abuse from account
Body:

or
Subject: urgent!! you sent me a virus
Body:
Hi, I just received a email from you containing the W32/resudaB virus.
It looks like your computer is infected with this dangerious virus, so iattached a cleaner to this e-mail to clean your computer from the virus...

or
Subject: Abuse from account
Body:
or
Subject: urgent!! you sent me a virus
Body:
Hi, I just received a email from you containing the highly destructive W32/ToagDipust (or: W32/LlehmorfTaog.C, W32/LOAeSui.A, W32/String.!erehemittaergagnivahmi, W32/BadTrans, W32/LED, W32/Matrix, W32/AOL, W32/CockRoach, W32/Dunno.k) virus.
It looks like your computer is infected with this dangerious virus, so i attached a cleaner to this e-mail to clean your computer from the virus...
or
Subject: Yo momma
Body:
hey wassup?, check out this awwwesommmeee Yo momma joke generator, really funny, check it out!!
Followed by one of the lines:

§ Yo'momma so fat it say on her driver's license Picture continued on back!
§ Yo'momma so fat she can use Mt. Everest for a dildo!
§ Yo'momma so fat the highway patrol made her wear Caution! Wide Turn. !
§ Yo'momma so fat she has her own area code!
§ Yo'momma so fat she's got more Chins than a Hong Kong phone book!
§ Yo' momma so fat she shaves her legs with a lawn mower!
§ Yo'momma so fat when a cop saw her he told her Hey you two break it up!
§ Yo'momma so fat when she sweats everyone around her wears raincoats!
§ Yo'momma so fat she wears two watches because she's in two time zones!
§ Yo'momma so fat her nickname is 'DAMN'
LOL!

or
Subject: You have been caught on account
Body: You have been caught by the FBI for your account abuse, your local police office will contact you soon.
or
Subject: Why sex feels so good?
Body: ;)
or
Subject: LOL!
Body:
or
Subject: check out my ePhoto Album
Body:
or
Subject: this is how you remind me, WHAT I REALLY AM, I'm NOT LIKE YOU, SO SORRY!
Body:

The e-mails are sent to contacts from Outlook Address Book.
Each time is executed the virus sends an e-mail like this:

To: webmaster@islam.com
or
To: masterXY@hotmail.com
Subject: (_|_)

Body: Christianzzz rule
where XY is a 2-digit number.

An example of an infected e-mail is this:



When is executed the virus copies itself in the Windows directory with the name LED.EXE. It sets the registry key:
HKEY_LOCAL_MACHINE SoftwareMicrosoftWindowsCurrentVersionRunW32/LED with the value "C:\windowsled.exe"
to be executed at every restart.

To send e-mails the virus uses Outlook.

The file C:xirtaM.txt contains a log of all actions done by the virus. It begins with the text:

W32/LED alias W32/Matrix --Log File--
"Today is a good day to fire your admin"

It searches for html, htm and asp files on drive C: and if it founds a file with the name default or index and one of the above extensions will overwrite this file with and infected HTML page which looks like this:



This will cause on IIS (Internet Information Services) servers the change of the main page and every person who visits that page will execute a script which will send invitation letters through MSN Messenger pointing to this page. If the user downloads the executable from the link here will download the virus body.
The virus is also can drop a mirc script to send the link to the infected site to every person which will contact the victim.

This virus was written in Visual Basic 6.

Last update 21 November 2011

 

TOP