File led.exe in the windows directory.
File xirtaM.txt in C:
An e-mail with the file led.exe attached.
- If you don't have BitDefender installed click here to download an evaluation version;
- Make sure that you have the latest updates using BitDefender Live!;
- Make the following changes in the windows registry:
Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.
- Select Run... from Start, then type regedit and press Enter;
- Delete the following key:
- Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Led.A@mm.
Costin Ionescu BitDefender Virus Researcher
The virus comes usually as an attached executable in an e-mail with the following formats: Subject: Abuse from account Body:
or Subject: urgent!! you sent me a virus Body: Hi, I just received a email from you containing the W32/resudaB virus.
It looks like your computer is infected with this dangerious virus, so iattached a cleaner to this e-mail to clean your computer from the virus...
or Subject: Abuse from account Body:
or Subject: urgent!! you sent me a virus Body: Hi, I just received a email from you containing the highly destructive W32/ToagDipust (or: W32/LlehmorfTaog.C, W32/LOAeSui.A, W32/String.!erehemittaergagnivahmi, W32/BadTrans, W32/LED, W32/Matrix, W32/AOL, W32/CockRoach, W32/Dunno.k) virus.
It looks like your computer is infected with this dangerious virus, so i attached a cleaner to this e-mail to clean your computer from the virus...
or Subject: Yo momma Body: hey wassup?, check out this awwwesommmeee Yo momma joke generator, really funny, check it out!!
Followed by one of the lines:
§ Yo'momma so fat it say on her driver's license Picture continued on back!
§ Yo'momma so fat she can use Mt. Everest for a dildo!
§ Yo'momma so fat the highway patrol made her wear Caution! Wide Turn. !
§ Yo'momma so fat she has her own area code!
§ Yo'momma so fat she's got more Chins than a Hong Kong phone book!
§ Yo' momma so fat she shaves her legs with a lawn mower!
§ Yo'momma so fat when a cop saw her he told her Hey you two break it up!
§ Yo'momma so fat when she sweats everyone around her wears raincoats!
§ Yo'momma so fat she wears two watches because she's in two time zones!
§ Yo'momma so fat her nickname is 'DAMN'
or Subject: You have been caught on account Body: You have been caught by the FBI for your account abuse, your local police office will contact you soon.
or Subject: Why sex feels so good? Body: ;)
or Subject: LOL! Body:
or Subject: check out my ePhoto Album Body:
or Subject: this is how you remind me, WHAT I REALLY AM, I\'m NOT LIKE YOU, SO SORRY! Body:
The e-mails are sent to contacts from Outlook Address Book.
Each time is executed the virus sends an e-mail like this:
Body: Christianzzz rule
where XY is a 2-digit number.
An example of an infected e-mail is this:
When is executed the virus copies itself in the Windows directory with the name LED.EXE.
It sets the registry key: HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows\CurrentVersion\Run\W32/LED
with the value "C:\\windows\led.exe"
to be executed at every restart.
To send e-mails the virus uses Outlook.
The file C:\xirtaM.txt
contains a log of all actions done by the virus. It begins with the text:
W32/LED alias W32/Matrix --Log File--
"Today is a good day to fire your admin"
It searches for html, htm and asp files on drive C:\ and if it founds a file with the name default or index and one of the above extensions will overwrite this file with and infected HTML page which looks like this:
This will cause on IIS (Internet Information Services) servers the change of the main page and every person who visits that page will execute a script which will send invitation letters through MSN Messenger pointing to this page. If the user downloads the executable from the link here will download the virus body.
The virus is also can drop a mirc script to send the link to the infected site to every person which will contact the victim.
This virus was written in Visual Basic 6.