MSIL.Letum.A@mm

Printer Friendly Page

Discovered: April 08, 2006
Updated: April 08, 2006 4:30:21 PM
Also Known As: WORM_LETUM.A [Trend], MSIL/Letum.a@MM [McAfee], W32/Letum-A [Sophos]
Systems Affected: Windows

MSIL.Letum.A@mm is a mass-mailing worm that also spreads through Usenet servers.

Antivirus Protection Dates

  • Initial Rapid Release version April 09, 2006
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version April 09, 2006
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date April 12, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Discovered: April 08, 2006
Updated: April 08, 2006 4:30:21 PM
Also Known As: WORM_LETUM.A [Trend], MSIL/Letum.a@MM [McAfee], W32/Letum-A [Sophos]
Systems Affected: Windows

This threat was renamed from W32.Letum.A@mm.

MSIL.Letum.A@mm is a mass-mailing worm that also spreads through NNTP servers.

When the worm is executed, it copies itself into an preexisting, randomly chosen folder with the following name:
Letum.exe

The worm then creates the following registry entry, so that it is executed every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Letum" = "C:\[PATH TO WORM]\Letum.exe"

The worm also creates the following registry entry:
HKEY_LOCAL_MACHINE\Software\Retro\"Letum" = "C:\[PATH TO WORM]\Letum.exe"

The worm gathers email addresses from .html files on the compromised computer.

The worm then sends a copy of itself to the email addresses gathered, using it's own SMTP engine. The email has the following characteristics:

From: Symantec Security Response <peter_ferrie@symantec.com>

Subject:
One of the following:
Warning!
Virus Alert
Customer Support
Re:
Re:Warning
Letum
Virus Report

Body:
Dear Users

Due to the high increase of the Letum worm, we have upgraded it to Category B. Please use our attached removal tool to scan and disinfect your computer from the malware.

Regards
Security Response

Hiya,

I've found this tool a couple of weeks ago, and after using it i was surprised on how good it was on squashing viruses. I wonder if avers know about this? ;)

>>
Maybe not but try this, i'm sure it will help you in your fight against malware. The engine it uses isnt to bad, but the searching speed is very fast for such a small size

Attachment: test.exe

The worm also posts a copy of itself to any Usenet servers found under the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager

If no Usenet servers were found in the above key, it will use the following server:
news.microsoft.com

The worm may display the following message:
Title: Name Entry Error
Text:
Dear Peter Ferrie

GeNeTiX is a person not a f**king genetically modified food product. \nShe's not happy you called her that!

Regards