Tamiami | |
---|---|
Type | Multi-vector worm |
Creator | DiA |
Date Discovered | 2006.07.24 |
Place of Origin | Germany |
Source Language | C |
Platform | MS Windows |
File Type(s) | .exe |
Infection Length | 143,360 bytes |
Tamiami also known as Tutiam or Miti is an email worm coded by DiA. It spreads by email, IRC and infects .zip and .rar archives. It also accepts commands from and provides the creator over IRC.
Behavior
When executed, Tamiami drops several files in the Windows folder, including Tamiami.wrd, strangler.exe, tamver.sys, Tamiami.vbs and Tamiami.mrc. It also creates the folders "tammail" and "tamweb" here. In tamweb, it drops the files Pictures.exe, Bilder.exe and index.htm. It adds strangler.exe to a local machine run key to ensure the worm starts when the computer does.

The worm searches the system for .zip and .rar archives, which it infects with a copy of itself. Possible names for worm files are different depending on whether the user is using a German or English version of Windows. The names for English are Addons_ENG, Install, Licence, Pictures, ReadMe, and SourceCode. For German they are Addons, Bilder, Installation, LiesMich, Lizenz and Quellcode.
Tamiami checks for an internet connection by contacting http://update.microsoft.com. It connects to the #tamiami channel of several IRC servers to deliver information and accept commands.
The worm uses MAPI to spread through email. It will create an email with a subject and body in English or German with close to 50 possible subject lines and message bodies. The attachment will either be an executable copy of the worm or a link to it.
Name
Antivirus Aliases
- Bitdefender: Dropped:Win32.Worm.Tamiami.A
- Kaspersky: IRC-Worm.Win32.Tutiam.a
- Symantec: W32.Miti@mm
- TrendMicro: WORM_TUTIAM.A
- VirusBuster: Worm.Tutiam.A
Sources
Monica Ghitun, Andrei Ivanes. Avira Antivirus, Worm/Tutiam.A. 2006.07.24-11.27
McAfee Antivirus, Virus Profile: W32/Tutiam@MM.
VSAntivirus, Miti.B. Se copia en todos los archivos .ZIP y .RAR. 2006.07.28