Tam

Threat description

Details

CATEGORYMalware
TYPEWorm

Summary

VBS/Tam is a worm similar to JS/Kak. It uses the same security vulnerability to infect the system.

Microsoft has released a patch that fixes this vulnerability. It is available at https://www.microsoft.com/security/Bulletins/ms99-032.asp .



Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details


Variant:Tam.A

If an infected message is viewed, the worm creates a file, "tam.hta", to the startup directory of French version of Windows 9x ("C:\Windows\Menu demarrer\programmes\demarrage"). This file is executed when the system is restarted.

When the "tam.hta" is executed, it deletes file "c:\windows\out.html" if it exists. Then the worm creates a new file using the same file name. This file contains the worm code.

Next VBS/Tam.A checks if a file "out.hta" exists in the Windows directory, and if not, it copies the "tam.hta" there and hides "tam.hta".

The copied "out.hta" will be added to the registry, so it will be executed in each time when the system is restarted.

The worm replaces the signature settings of Outlook Express 5.0 with its own, so every email sent will contain the worm.

At August 30th, the it shows the following message four times:

  Bon Anniversaire Lac !!!           Un ami...  

Depending on time user spends between the first and the last message box, the worm executes two different payloads.

The first one is activated if time is greater than 10 seconds, when the following message box is shown:

  Ok, chante HappyBirthday tout ira bien!!!  

Otherwise, VBS/Tam.A shows the following message

  KOI??? Ca t'interresse pas? Tu n'es pas digne du monde informatique. BYE-BYE  

and shuts down Windows.

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info