Virus Profile: MSIL/Letum.a@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 4/8/2006
Date Added: 4/8/2006
Origin: N/A
Length: 32,768 bytes
Type: Virus
Subtype: Email Worm
DAT Required: 4738
Removal Instructions
   
 
 
   

Description

This mass-mailing worm poses as a removal tool from Symantec.  It may be received in Email or via Usenet newsgroups, attached to a message posing as a virus alert sent from Symantec Security Response.

This threat requires version v2.0.50215 (or greater) of Microsoft's .NET Framework in order to run.  The majority of Windows desktop systems do not meet this requirement and therefore could not get infected by this threat at this time (April 2006).

Indication of Infection

Upon execution, the worm lists all the folders and sub-folders found in C:\,
picks one randomly and drops a copy of itself in one of the folders using a random file name.

It creates the following registry entry to auto start itself at windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Letum" = "C:\[Malware path and file name]"

It also adds the following registry entry as part of its installation routine:

HKEY_LOCAL_MACHINE\Software\Retro
“Letum” = "C:\[Malware path and file name]"

MSIL/Letum.a@MM displays a message box containing the following text strings:

Title: Name Entry Error
Message:
Dear [Censored]

[Censored] is a person not a f**king genetically modified food product. She's not happy you called her that!

 

Methods of Infection

MSIL/Letum.a@MM searches for available Simple Mail Transfer Protocol and  Usenet servers through the Internet Account Manager registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager

If no SMTP servers are found, it uses the default server: mail.primaryhost.org.uk.
If no Usenet servers are found, it uses the default server: news.microsoft.com.

It then searches for the following registry key to get information as to where its dropped copy is located:

HKEY_LOCAL_MACHINE\Software\Retro

Once it locates its dropped copy, it sends a copy of itself to email addresses that were harvested from .HTML files found on the infected system.

Aliases

Email-Worm.Win32.Letum.a (Kaspersky), MSIL.Letum.A@mm (Symantec), W32/Letum.A-mm (Fortinet), Win32.HLLW.Letum (DrWeb), Win32/Letum.A (ESET), WORM_LETUM.A (Trend)
   

Virus Characteristics

This threat attempts to spread via Email and Usenet newsgroups.  It is designed to spread in messages as follows:

From: Symantec Security Response
Subject: (any of the following)

  • Warning!
  • Virus Alert
  • !Customer Support
  • Re:
  • Re:Warning
  • Virus Report

Body:

Dear User,

Due to the high increase of the Letum worm, we have upgraded it to Category B. Please use our attached removal tool to scan and disinfect your computer from the malware.

If you have any comments or questions about this, then please contact us.

Regards

{REMOVED}
Senior Anti-Virus Researcher / Senior Principal Software Engineer
1995 - 2006 Symantec Corporation All rights reserved.

or

Hiya,

I've found this tool a couple of weeks ago, and after using it i was surprised on how good it was on squashing viruses. I wonder if avers know about this? ;)
Maybe not but try this, i'm sure it will help you in your fight against malware. The engine it uses isnt to bad, but the searching speed is very fast for such a small size

Attachment: test.exe

   

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95