Letum | |
---|---|
Type | Email worm |
Creator | Retro |
Date Discovered | 2006.04.08 |
Place of Origin | Wiltshire, United Kingdom |
Source Language | C# |
Platform | .Net |
File Type(s) | .exe |
Infection Length | 32,768 bytes |
Reported Costs |
Letum is a worm that runs on the .NET platform. It was coded in spring of 2006 in the UK. It poses as a Symantec security tool to remove a virus named Letum. It spreads through email or usenet posts.
Behavior
Letum arrives in an email appearing to be from Symantec Security Response. The file name is "test.exe". The subject line will be one of the following:
- Warning!
- Virus Alert
- !Customer Support
- Re:
- Re:Warning
- Virus Report
The message body will be the following:
Dear User,
Due to the high increase of the Letum worm, we have upgraded it to Category B. Please use our attached removal tool to scan and
disinfect your computer from the malware.
If you have any comments or questions about this, then please contact us.
Regards
Peter Ferrie
Senior Anti-Virus Researcher / Senior Principal Software Engineer
Newsgroup
It will have one of the following two message bodies in the newsgroup post:
Dear Users,
Due to the high increase of the Letum worm, we have upgraded it to Category B. Please use our attached removal tool to scan and
disinfect your computer from the malware.
If you have any comments or questions about this, then please contact us.
Regards
Security Response
or
Hiya,
I've found this tool a couple of weeks ago, and after using it i was surprised on
how good it was on squashing viruses. I wonder if avers know about this? ;)
Maybe not but try this, i'm sure it will help you in your fight against malware.
The engine it uses isnt to bad, but the searching speed is very fast for such a small size
Infection
When executed, Letum enumerates all folders on drive C: and drops a copy of itself in a random folder. It then adds this file as "Letum" to the local machine run key that will allow it to run every time the system is booted. It also creates another registry key, "HKEY_LOCAL_MACHINE\Software\Retro" where it also adds its path as "Letum".
It displays a message box with the following text:
Title: Name Entry Error
Message:
Dear Peter Ferrie
GeNeTiX is a person not a f**king genetically modified food product. She's not happy you called her that!
Regards
Spreading
Letum harvests email addresses from .html files it finds on systems it infects. It searches for SMTP servers using the Internet Account Manager and uses mail.primaryhost.org.uk if it is unable to find one. It also uses Internet Account Manager to find newsgroups. If it finds none, it posts a message with itself to news.microsoft.com.
Variants
Letum has at least two variants with similar functionality.
Other Facts
In his earlier virus, Idoneus, Retro mentions genetix, an American hacker and expatriate in Finland. In that virus, a part of the text displayed is "GeNeTiX is EVIL!". The two actually seem to have a quite friendly relationship, as she mentions him in a 2013 interview.
Sources
izee. Electrical Ordered Freedom #1, Interview with Retro. 2006.11
McAfee Antivirus, MSIL/Letum.a@MM. 2006.04.08
Trend Micro Antivirus, WORM_LETUM.A.
Second Part to Hell. DarK CodeZ #5, Interview with genetix. 2013.07