Virus:Worm/Letum.A
Date discovered:02/04/2006
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:32.768 Bytes
MD5 checksum:f7abbd19b9b4cf6ce7d261d6f1684a0e
VDF version:6.34.00.127

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: MSIL.Letum.A@mm
   •  Mcafee: MSIL/Letum.a@MM
   •  Kaspersky: Email-Worm.MSIL.Letum.a
   •  TrendMicro: WORM_LETUM.A
   •  Sophos: W32/Letum-A
   •  Bitdefender: Win32.Letum.A@mm


Platform / OS:
   • Windows XP


It displays the content of created pictorial files:

 Files It copies itself to the following location:
   • %randomly chosen directory%\Letum.exe

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Letum"="%paths to malware copies%\\Letum.exe"



The following registry key is added:

– [HKCU\Software\Retro]
   • "Letum"="%paths to malware copies%\\Letum.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender of the email is the following:
   • peter_ferrie@symantec.com


To:
– Email addresses found in specific files on the system.

 Mailing Search addresses:
It searches the following file for email addresses:
   • html


Avoid addresses:


MX Server:
It does not use the standard MX server.
It has the ability to contact the MX server:
   • mail.primaryhost.org.uk

 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • msnews.microsoft.com:119

Description inserted by Alexandru Tudor on Monday, April 10, 2006
Description updated by Andrei Ivanes on Tuesday, May 9, 2006

Back . . . .