This mass-mailing worm poses as a removal tool from Symantec. It may be received in Email or via Usenet newsgroups, attached to a message posing as a virus alert sent from Symantec Security Response.
This threat requires version v2.0.50215 (or greater) of Microsoft's .NET Framework in order to run. The majority of Windows desktop systems do not meet this requirement and therefore could not get infected by this threat at this time (April 2006).
Indication of Infection
Upon execution, the worm lists all the folders and sub-folders found in C:\,
picks one randomly and drops a copy of itself in one of the folders using a random file name.
It creates the following registry entry to auto start itself at windows startup:
"Letum" = "C:\[Malware path and file name]"
It also adds the following registry entry as part of its installation routine:
“Letum” = "C:\[Malware path and file name]"
MSIL/Letum.a@MM displays a message box containing the following text strings:
Title: Name Entry Error
[Censored] is a person not a f**king genetically modified food product. She's not happy you called her that!
Methods of Infection
MSIL/Letum.a@MM searches for available Simple Mail Transfer Protocol and Usenet servers through the Internet Account Manager registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager
If no SMTP servers are found, it uses the default server: mail.primaryhost.org.uk.
If no Usenet servers are found, it uses the default server: news.microsoft.com.
It then searches for the following registry key to get information as to where its dropped copy is located:
Once it locates its dropped copy, it sends a copy of itself to email addresses that were harvested from .HTML files found on the infected system.
Email-Worm.Win32.Letum.a (Kaspersky), MSIL.Letum.A@mm (Symantec), W32/Letum.A-mm (Fortinet), Win32.HLLW.Letum (DrWeb), Win32/Letum.A (ESET), WORM_LETUM.A (Trend)