Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

MSIL.Letum.A@mm

MSIL.Letum.A@mm

Discovered:
08 April 2006
Updated:
08 April 2006
Also Known As:
WORM_LETUM.A [Trend], MSIL/Letum.a@MM [McAfee], W32/Letum-A [Sophos]
Systems Affected:
Windows
MSIL.Letum.A@mm is a mass-mailing worm that also spreads through Usenet servers.

Antivirus Protection Dates

  • Initial Rapid Release version 09 April 2006
  • Latest Rapid Release version 28 September 2010 revision 054
  • Initial Daily Certified version 09 April 2006
  • Latest Daily Certified version 28 September 2010 revision 036
  • Initial Weekly Certified release date 12 April 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
This threat was renamed from W32.Letum.A@mm.

MSIL.Letum.A@mm is a mass-mailing worm that also spreads through NNTP servers.

When the worm is executed, it copies itself into an preexisting, randomly chosen folder with the following name:
Letum.exe

The worm then creates the following registry entry, so that it is executed every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Letum" = "C:\[PATH TO WORM]\Letum.exe"

The worm also creates the following registry entry:
HKEY_LOCAL_MACHINE\Software\Retro\"Letum" = "C:\[PATH TO WORM]\Letum.exe"

The worm gathers email addresses from .html files on the compromised computer.

The worm then sends a copy of itself to the email addresses gathered, using it's own SMTP engine. The email has the following characteristics:

From: Symantec Security Response <peter_ferrie@symantec.com>

Subject:
One of the following:
Warning!
Virus Alert
Customer Support
Re:
Re:Warning
Letum
Virus Report

Body:
Dear Users

Due to the high increase of the Letum worm, we have upgraded it to Category B. Please use our attached removal tool to scan and disinfect your computer from the malware.

Regards
Security Response

Hiya,

I've found this tool a couple of weeks ago, and after using it i was surprised on how good it was on squashing viruses. I wonder if avers know about this? ;)

>>
Maybe not but try this, i'm sure it will help you in your fight against malware. The engine it uses isnt to bad, but the searching speed is very fast for such a small size

Attachment: test.exe

The worm also posts a copy of itself to any Usenet servers found under the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager

If no Usenet servers were found in the above key, it will use the following server:
news.microsoft.com

The worm may display the following message:
Title: Name Entry Error
Text:
Dear Peter Ferrie

GeNeTiX is a person not a f**king genetically modified food product. \nShe's not happy you called her that!

Regards