W32.Led@mm


Aliases: W32/Fagled@MM, Win32.Fagled
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 22 Jan 2002
Damage: Low

Characteristics: W32.Led@mm is a mass mailing worm. It replicates itself and spreads to other computers using Microsoft Messenger, Microsoft Outlook, and mIRC. The worm gets email addresses from the infected computer. It also searches for .vbs files, and, runs each file it finds after creating a list of them.

More details about W32.Led@mm

Once W32.Led is executed, it performs mass mailing. The email messages have different subjects like “LOL!”, “Yo Momma”, etc. The message under each subject varies. The email is sent to the email address master##@hotmail.com. The ## is a random number. Attachments for these email messages also vary depending on the subject. However, the typical filename of the attachment is Led.exe. The worm searches for the files Default.html and Index.html. Once it finds them, it will overwrite them with its own Default.html or Index.html and copy the file ienet.exe to that folder. The worm also attempts to propagate using MSN messenger. It does this by sending out MSN messenger chat messages that trick users to go to a website that contains the worm.

The same attempt to spread happens using mIRC. It modifies the Script.ini file sending a message that tells other mIRC users to go to a website that contains the worm. The worm adds values to the registry and modifies it to make sure it runs every Windows startup. Lastly, it executes all .vbs files that it finds on the infected computer. To remove the worm, update virus definitions. Afterwards, run a full system scan and delete files that are detected as W32.Led@mm. Remove the value that the worm added to the registry. Restart your computer and rescan the system to double check.