Letum
Letum
Type Email worm
Creator Retro
Date Discovered 2006.04.08
Place of Origin Wiltshire, United Kingdom
Source Language C#
Platform .Net
File Type(s) .exe
Infection Length 32,768 bytes
Reported Costs

Letum is a worm that runs on the .NET platform. It was coded in spring of 2006 in the UK. It poses as a Symantec security tool to remove a virus named Letum. It spreads through email or usenet posts.

Behavior

Email

Letum arrives in an email appearing to be from Symantec Security Response. The file name is "test.exe". The subject line will be one of the following:

  • Warning!
  • Virus Alert
  • !Customer Support
  • Re:
  • Re:Warning
  • Virus Report

The message body will be the following:

Dear User,

Due to the high increase of the Letum worm, we have upgraded it to Category B. Please use our attached removal tool to scan and
disinfect your computer from the malware.

If you have any comments or questions about this, then please contact us.

Regards

Peter Ferrie
Senior Anti-Virus Researcher / Senior Principal Software Engineer

Newsgroup

It will have one of the following two message bodies in the newsgroup post:

Dear Users,

Due to the high increase of the Letum worm, we have upgraded it to Category B. Please use our attached removal tool to scan and
disinfect your computer from the malware.

If you have any comments or questions about this, then please contact us.

Regards
Security Response

or

Hiya,

I've found this tool a couple of weeks ago, and after using it i was surprised on
how good it was on squashing viruses. I wonder if avers know about this? ;)
Maybe not but try this, i'm sure it will help you in your fight against malware.
The engine it uses isnt to bad, but the searching speed is very fast for such a small size

Infection

When executed, Letum enumerates all folders on drive C: and drops a copy of itself in a random folder. It then adds this file as "Letum" to the local machine run key that will allow it to run every time the system is booted. It also creates another registry key, "HKEY_LOCAL_MACHINE\Software\Retro" where it also adds its path as "Letum".

It displays a message box with the following text:

Title: Name Entry Error
Message:
Dear Peter Ferrie

GeNeTiX is a person not a f**king genetically modified food product. She's not happy you called her that!

Regards

Spreading

Letum harvests email addresses from .html files it finds on systems it infects. It searches for SMTP servers using the Internet Account Manager and uses mail.primaryhost.org.uk if it is unable to find one. It also uses Internet Account Manager to find newsgroups. If it finds none, it posts a message with itself to news.microsoft.com.

Variants

Letum has at least two variants with similar functionality.

Other Facts

In his earlier virus, Idoneus, Retro mentions genetix, an American hacker and expatriate in Finland. In that virus, a part of the text displayed is "GeNeTiX is EVIL!". The two actually seem to have a quite friendly relationship, as she mentions him in a 2013 interview.

Sources

izee. Electrical Ordered Freedom #1, Interview with Retro. 2006.11

McAfee Antivirus, MSIL/Letum.a@MM. 2006.04.08

Trend Micro Antivirus, WORM_LETUM.A.

Second Part to Hell. DarK CodeZ #5, Interview with genetix. 2013.07

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License