|Place of Origin||Wiltshire, United Kingdom|
|Infection Length||32,768 bytes|
Letum is a worm that runs on the .NET platform. It was coded in spring of 2006 in the UK. It poses as a Symantec security tool to remove a virus named Letum. It spreads through email or usenet posts.
Letum arrives in an email appearing to be from Symantec Security Response. The file name is "test.exe". The subject line will be one of the following:
- Virus Alert
- !Customer Support
- Virus Report
The message body will be the following:
Dear User, Due to the high increase of the Letum worm, we have upgraded it to Category B. Please use our attached removal tool to scan and disinfect your computer from the malware. If you have any comments or questions about this, then please contact us. Regards Peter Ferrie Senior Anti-Virus Researcher / Senior Principal Software Engineer
It will have one of the following two message bodies in the newsgroup post:
Dear Users, Due to the high increase of the Letum worm, we have upgraded it to Category B. Please use our attached removal tool to scan and disinfect your computer from the malware. If you have any comments or questions about this, then please contact us. Regards Security Response
Hiya, I've found this tool a couple of weeks ago, and after using it i was surprised on how good it was on squashing viruses. I wonder if avers know about this? ;) Maybe not but try this, i'm sure it will help you in your fight against malware. The engine it uses isnt to bad, but the searching speed is very fast for such a small size
When executed, Letum enumerates all folders on drive C: and drops a copy of itself in a random folder. It then adds this file as "Letum" to the local machine run key that will allow it to run every time the system is booted. It also creates another registry key, "HKEY_LOCAL_MACHINE\Software\Retro" where it also adds its path as "Letum".
It displays a message box with the following text:
Title: Name Entry Error Message: Dear Peter Ferrie GeNeTiX is a person not a f**king genetically modified food product. She's not happy you called her that! Regards
Letum harvests email addresses from .html files it finds on systems it infects. It searches for SMTP servers using the Internet Account Manager and uses mail.primaryhost.org.uk if it is unable to find one. It also uses Internet Account Manager to find newsgroups. If it finds none, it posts a message with itself to news.microsoft.com.
Letum has at least two variants with similar functionality.
In his earlier virus, Idoneus, Retro mentions genetix, an American hacker and expatriate in Finland. In that virus, a part of the text displayed is "GeNeTiX is EVIL!". The two actually seem to have a quite friendly relationship, as she mentions him in a 2013 interview.
izee. Electrical Ordered Freedom #1, Interview with Retro. 2006.11
McAfee Antivirus, MSIL/Letum.a@MM. 2006.04.08
Trend Micro Antivirus, WORM_LETUM.A.
Second Part to Hell. DarK CodeZ #5, Interview with genetix. 2013.07