Tamiami
Tamiami
Type Multi-vector worm
Creator DiA
Date Discovered 2006.07.24
Place of Origin Germany
Source Language C
Platform MS Windows
File Type(s) .exe
Infection Length 143,360 bytes

Tamiami also known as Tutiam or Miti is an email worm coded by DiA. It spreads by email, IRC and infects .zip and .rar archives. It also accepts commands from and provides the creator over IRC.

Behavior

When executed, Tamiami drops several files in the Windows folder, including Tamiami.wrd, strangler.exe, tamver.sys, Tamiami.vbs and Tamiami.mrc. It also creates the folders "tammail" and "tamweb" here. In tamweb, it drops the files Pictures.exe, Bilder.exe and index.htm. It adds strangler.exe to a local machine run key to ensure the worm starts when the computer does.

tamiami.png

The worm searches the system for .zip and .rar archives, which it infects with a copy of itself. Possible names for worm files are different depending on whether the user is using a German or English version of Windows. The names for English are Addons_ENG, Install, Licence, Pictures, ReadMe, and SourceCode. For German they are Addons, Bilder, Installation, LiesMich, Lizenz and Quellcode.

Tamiami checks for an internet connection by contacting http://update.microsoft.com. It connects to the #tamiami channel of several IRC servers to deliver information and accept commands.

The worm uses MAPI to spread through email. It will create an email with a subject and body in English or German with close to 50 possible subject lines and message bodies. The attachment will either be an executable copy of the worm or a link to it.

Name

Antivirus Aliases

  • Bitdefender: Dropped:Win32.Worm.Tamiami.A
  • Kaspersky: IRC-Worm.Win32.Tutiam.a
  • Symantec: W32.Miti@mm
  • TrendMicro: WORM_TUTIAM.A
  • VirusBuster: Worm.Tutiam.A

Sources

Monica Ghitun, Andrei Ivanes. Avira Antivirus, Worm/Tutiam.A. 2006.07.24-11.27

McAfee Antivirus, Virus Profile: W32/Tutiam@MM.

VSAntivirus, Miti.B. Se copia en todos los archivos .ZIP y .RAR. 2006.07.28

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License