Virus:Worm/Tutiam.A
Date discovered:24/07/2006
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:143.360 Bytes
MD5 checksum:9f2b1ee9a59f56a91a0Ca7b25458e589
VDF version:6.35.00.180
IVDF version:6.35.00.220

 General Methods of propagation:
   • Email
   • Local network


Aliases:
   •  Symantec: W32.Miti@mm
   •  Kaspersky: IRC-Worm.Win32.Tutiam.a
   •  TrendMicro: WORM_TUTIAM.A
   •  VirusBuster: Worm.Tutiam.A
   •  Bitdefender: Dropped:Win32.Worm.Tamiami.A


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Drops a malicious file
   • Registry modification


Right after execution the following information is displayed:


 Files It copies itself to the following locations:
   • %WINDIR%\strangler.exe
   • %WINDIR%\Tamiami.wrd
   • %WINDIR%\tamweb\Pictures.exe



It creates the following directories:
   • %WINDIR%\tammail
   • %WINDIR%\tamweb



A section is added to a file.
– To: %drive%:\*.zip With the following contents:
   • SourceCode.exe
     Addons_ENG.exe
     Pictures.exe
     Licence.exe
     ReadMe.exe
     Install.exe
     Quellcode.exe
     Addons.exe
     Bilder.exe
     Lizenz.exe
     LiesMich.exe
     Installation.exe
     (%executed file%)




The following files are created:

%WINDIR%\tamver.sys
%WINDIR%\Tamiami.vbs
%WINDIR%\tamweb\index.htm Detected as: Worm/Tamiami.A

%WINDIR%\Tamiami.mrc

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Tamiami"="%WINDIR%\strangler.exe"



The following registry key is added:

– [HKCU\Identities\%system-dependent%\Software\Microsoft\
   Outlook Express\5.0\Mail]
   • "Warn on Mapi Send"=dword:00000000



The following registry keys are changed:

Deactivate Windows Firewall:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   New value:
   • "Start"=dword:00000004

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: irc.quake**********
Port: 6667
Server password: %eight-digit random character string%
Channel: #tamiami
Nickname: %eight-digit random character string%
Password: strangler

Server: quakenet.under**********
Port: 6667
Server password: %eight-digit random character string%
Channel: #tamiami
Nickname: %eight-digit random character string%
Password: strangler

Server: irc.efn**********
Port: 6667
Server password: %eight-digit random character string%
Channel: #tamiami
Nickname: %eight-digit random character string%
Password: strangler

Server: icr.under**********
Port: 6667
Server password: %eight-digit random character string%
Channel: #tamiami
Nickname: %eight-digit random character string%
Password: strangler

Server: eu.under**********
Port: 6667
Server password: %eight-digit random character string%
Channel: #tamiami
Nickname: %eight-digit random character string%
Password: strangler

Server: us.under**********
Port: 6667
Server password: %eight-digit random character string%
Channel: #tamiami
Nickname: %eight-digit random character string%
Password: strangler

Server: port80c.se.quake**********
Port: 6667
Server password: %eight-digit random character string%
Channel: #tamiami
Nickname: %eight-digit random character string%
Password: strangler


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • disconnect from IRC server
    • Join IRC channel
    • Start spreading routine

 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • http://update.microsoft.com


Mutex:
It creates the following Mutex:
   • Worm.Tamiami v1.3.2 by DiA/RRLF

 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Monica Ghitun on Monday, July 24, 2006
Description updated by Andrei Ivanes on Monday, November 27, 2006

Back . . . .