Fagled is an email worm that beside a normal way of spreading from Outlook uses a new one - spreading from its own webserver that it opens on an infected computer. The worm is written in Visual Basic and first appeared on January 22nd, 2002.
The worm usually comes in emails with different subject and bodies and LED.EXE attachment. When a user clicks an attachment, the worm is activated. Additionally, the worm sends messages to IRC channels and MSN Messenger contacts of an infected user with a link that points to a webpage where the worm's executable is located.
To get rid of the worm it's enough to delete its file from Windows folder. If a file is locked by WIndows, it is recommended to delete it from pure DOS (in case of Windows 9x system) or rename with a different name and extension with immediate system restart (in case of NT-based system).
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
When the worm is run from LED.EXE attachment the worm does the following:
-*- Installs itself to system by copying its file to C:\Windows\ directory with LED.EXE name.
-*- Modifies Registry to start LED.EXE file every time Windows starts.
-*- Scans user's hard disk. Fetches email addresses from .DBX, .MBX, .IDX files.
-*- Opens all .VBS files it can find on a hard disk.
-*- Deletes files from folders with the following names:
norton zonelab zonealarm tbav atguard shopio mcafee mcaffee bloodhaunt kiddie teen
-*- Opens a webserver on port 80 of an infected computer and waits for connections. The worm looks for HTM and HTML files and if finds DEFAULT.HTML or INDEX.HTML, it replaces them with their own file that contains a fake warning message and also copies itself as IENET.EXE into the same folder. When someone connects to a webserver, the worm displays a fake warning message:
Plugin missing Your browser is missing a plugin that is required to by this webpage to view its content, you can download this plugin
The <here> string points to http link to IENET.EXE file (which is the worm's copy) on a user's hard disk. When a connected user downloads and runs this file, his system becomes infected.
-*- Replaces SCRIPT.INI of Mirc client with its own one that will repeatedly send messages to users (except Ops) in an IRC channel where an infected user is present. The message will be like that:
I want you....HARD, http://
The <link> will contain a path to a webserver that the worm opens on an infected computer.
The worm does some other tricks with IRC like joining/opening its own channels, sending notices and private messages and sometimes auto-replying to them.
-*- Sends the following messages to all contacts of user's MSN messenger:
PLEASE GO AS FAST AS POSSIBLE TO http:// , I have NO time to explain but DO IT!
The <link> will contain a path to a webserver that the worm opens on an infected computer.
-*- The worm connects to Outlook and sends itself (usually as LED.EXE) to all email addresses it located on an infected system. The infected messages can contain one of the following:
Subject: urgent!! you sent me a virus Body: Hi, I just received a email from you containing the W32/resudaB virus. It looks like your computer is infected with this dangerious virus, so i attached a cleaner to this email to clean your computer from the virus... Subject: urgent!! you sent me a virus! Body: Hi, I just received a email from you containing the highly destructivevirus. It looks like your computer is infected with this dangerious virus, so i attached a cleaner to this email to clean your computer from the virus...
The <virusname> is randomly selected from one of the following:
Plugin missing Your browser is missing a plugin that is required to by this webpage to view its content, you can download this plugin
Then goes one of the following strings:
Plugin missing Your browser is missing a plugin that is required to by this webpage to view its content, you can download this plugin
These lines are followed by ', LOL' string.
Subject: You have been caught on accountBody: You have been caught by the FBI for your account abuse, your local police office will contact you soon. Subject: Why sex feels so good? Body: ;) Subject: LOL! Body: Subject: check out my ePhoto Album Body: Subject: haha Body: Subject: this is how you remind me, WHAT I REALLY AM, I'm NOT LIKE YOU, SO SORRY!
-*- The worm sends itself with the following email to 'webmaster@islam.com' and to 'master**@hotmail.com' ('**' is a random number) email addresses:
Plugin missing Your browser is missing a plugin that is required to by this webpage to view its content, you can download this plugin
-*- The worm keeps a log of its activities in C:\xirtaM.txt file. The log file has the following header:
Plugin missing Your browser is missing a plugin that is required to by this webpage to view its content, you can download this plugin
The 'xxxxx' are the names of anti-virus vendors.