Classification

Category :

Malware

Type :

Worm

Aliases :

Tam, Out, I-Worm.Kakworm.d

Summary

VBS/Tam is a worm similar to JS/Kak. It uses the same security vulnerability to infect the system.

Microsoft has released a patch that fixes this vulnerability. It is available at https://www.microsoft.com/security/Bulletins/ms99-032.asp .

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Variant:Tam.A

If an infected message is viewed, the worm creates a file, "tam.hta", to the startup directory of French version of Windows 9x ("C:\Windows\Menu demarrer\programmes\demarrage"). This file is executed when the system is restarted.

When the "tam.hta" is executed, it deletes file "c:\windows\out.html" if it exists. Then the worm creates a new file using the same file name. This file contains the worm code.

Next VBS/Tam.A checks if a file "out.hta" exists in the Windows directory, and if not, it copies the "tam.hta" there and hides "tam.hta".

The copied "out.hta" will be added to the registry, so it will be executed in each time when the system is restarted.

The worm replaces the signature settings of Outlook Express 5.0 with its own, so every email sent will contain the worm.

At August 30th, the it shows the following message four times:

Bon Anniversaire Lac !!!

 Un ami...

Depending on time user spends between the first and the last message box, the worm executes two different payloads.

The first one is activated if time is greater than 10 seconds, when the following message box is shown:

Ok, chante HappyBirthday tout ira bien!!!

Otherwise, VBS/Tam.A shows the following message

KOI??? Ca t'interresse pas? Tu n'es pas digne du monde informatique. BYE-BYE

and shuts down Windows.