Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:Tam, I-Worm.Kakworm.d, Out
Type:Worm 
Size: 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:6.23.00.00 
Danger:Low 
Distribution:Low 

DistributionThe worm overwrites the Outlook Express 5.0 settings with its own, to send the virus with every outgoing email.

Technical DetailsWorm/KakWorm.D is related to JS/Kak. It uses the same security hole to infect the system. There is a free Microsoft Update patch available at:
http://www.microsoft.com/security/Bulletins/ms99-032.asp

When the infected email is read, the worm creates a file named "tam.hta".
The autostart entry is French and it is made in Windows 9x Start directory ("C:\Windows\Menu dmarrer\programmes\dmarrage").

If the file "c:\windows\out.html" is accessible, it is deleted after running the file "tam.hta". Then, a new file, with the name of the deleted one, is created. This contains the virus code.
The worm checks if there is a file named "out.hta" in Windows directory. If not, the file "tam.hta" is hidden there.
The copied file "out.hta" is registered for autostart.

On August 30th, the following message appears for 4 times:
"Bon Anniversaire Lac !!!
Un ami... "

The worm uses two different routines:
The first version is used when the message is open for more then 10 seconds and the following window is displayed:
"Ok, chante HappyBirthday tout ira bien!!! "

The second version will display:
"KOI??? Ca t'interresse pas? Tu n'es pas digne du monde informatique. BYE-BYE" and Windows shuts down.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .