VBS/Tam.A is a worm written in Visual Basic Script.
The possibilitiy of this worm spreading is rather limited because to spread itself it
requires the French version of the Windows operating system and a computer which
has not been patched yet for the Scriptlet.Typelib
vulnerability.
When the abovementioned technical requirements are met the worm is activated
simply by previewing the email message, or when opening the message to read. For that reason it is necessary to install
the patch
for the mentioned
security vulnerability.
When activated the worm checks whether the files c:\windows\out.html and c:\windows\out.hta
exist on the disk. If they do the worm deletes them. Then the worm copies itself as
the file tam.hta into the directory c:\windows\menu démarrer\programmes\démarrage. This directory is
"hardcoded" and exists only in the French version of
Windows. This directory serves to execute files at each Windows activation.
The worm creates the files c:\windows\out.hta and c:\windows\out.html on the disk. Then it manipulates the keys of the system registry. It sets the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\OutGoingCtrl
with the value
c:\windows\out.hta. It also manipulates the key HKCU\Identities\Name of user\Software\Microsoft\Outlook Express\5.0 and it modifies it
in such a way that Outlook Express will add the infected file c:\windows\out.html as a signature to each email message
that is sent out. When doing so it uses the real name of the user of the program Microsoft Outlook Express instead of the string Name of
the user.
On August 30th the worm displays the following window with the text:
Upon clicking on the OK button this window is displayed 4 times more. Depending on the random numbers generator two different activities may follow. The first one is displaying the following window with the text:
In the second case the following window is displayed:
Upon clicking the OK button the computer is switched off.
PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.
DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE
