TAM

 

Pour télécharger les sources du virus >>> cliquez ici (attention c'est un script >>> à ouvrir seulement avec notepad, ne pas double cliquer sur les .hta ou .html >>> c'est en même temps les sources et le virus).

Puis vient une doc (en Anglais) sur ce virus...

 

 

Virus Name

Risk Assessment

VBS/Tam@M

Low

Virus Information

 

Discovery Date:

10/12/2000

Origin:

France

Length:

 

Type:

Internet Worm

SubType:

VbScript

Minimum Dat

4100

Minimum Engine:

4.0.70

DAT Release Date:

10/18/2000

Description Added:

10/13/2000

 

Virus Characteristics

This worm functions much the same way that JS/Kak.worm does. AVERT recommends installing the security patch from Microsoft mentioned below.

Like JS/Kak.worm, a dangerous aspect of this Internet worm is its ability to continuously re-infect yourself if the preview pane is enabled and you browse between folders specifically the "sent" folder which happens to contain the Internet worm within a message. This is another strong reason to update to the security patch.

This worm uses VBScript and an ActiveX component, called "Scriptlet Typelib", to propagate itself through email using MS Outlook Express.

When an e-mail or newsgroup message infected by this worm is opened by a reader which supports VBScript in HTML, the writes the Update.hta file to the Startup folder of the local machine. This will launch the code embedded in the HTA file at the next Windows startup. Microsoft has published a security update which addresses this ActiveX exploit and users are encouraged to update their systems with this component. With this update installed, users are questioned if they wish to run the ActiveX control which "might be unsafe".

For more details on this vulnerability and to obtain a patch from Microsoft, see this link:
Microsoft Security Bulletin

For current security bulletins from Microsoft, see this link:
Current Bulletins.

Email messages written in HTML format will be coded with the Internet worm on infected systems due to the default signature modification on infected systems. The email application Outlook is a target of this Internet worm for propagation due to its support for HTML format messages. If an email message is coded with the worm code and it is allowed to run, then this file is written to the local machine:

"C:\WINDOWS\OUT.HTML"

The email spreading method is possible by a registry modification which adds a signature to MS Outlook. The signature is set to include the file "C:\WINDOWS\OUT.HTML" and is set as the default signature such that the worm is spread on all outgoing email if the signature is included.

A value is added to the registry: "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\OnGoingCtrl=c:\windows\out.hta"
Note - The "C:\WINDOWS\OUT.HTA" file is only created on the French version of Windows 9x.

For the French versions of Windows 9x:
- Writes a copy of itself to "c:\windows\menu démarrer\programmes\démarrage\tam.hta"
- When "TAM.HTA" is ran at startup, "C:\OUT.HTA" is created.
- On August 30, a message is displayed:

 
Bon Anniversaire Lac !!!
      Un ami...


This box will reappear after "OK" is clicked. On the 5th click, this message appears:

KOI??? Ca t'interresse pas? 
Tu n'es pas digne du monde informatique.
BYE-BYE

Clicking OK to this message results in your computer shutting down.

 

Symptoms

Recipients of messages which contain VBS/Out@M may receive warning messages such as:

"Do you want to allow software such as ActiveX controls and plug-ins to run?"

Users should select "NO" to this question. Also another warning dialogue box could be displayed:

"Scripts are usually safe. Do you want to allow scripts to run?"

Users should select "NO" also to this question. Further indications of infection are the existence of files OUT.HTA, OUT.HTML and TAM.HTA as previously mentioned, and added or modified default signature.


Note
- "C:\WINDOWS\OUT.HTA" is only created on the French version of Windows9x

For the French versions of Windows 9x:
- Existance of "c:\windows\menu démarrer\programmes\démarrage\tam.hta"
- On August 30, a message is displayed:

 
Bon Anniversaire Lac !!!
      Un ami...


This box will reappear after "OK" is clicked. On the 5th click, this message appears:

KOI??? Ca t'interresse pas? 
Tu n'es pas digne du monde informatique.
BYE-BYE

Clicking OK to this message results in your computer shutting down.

 

Method Of Infection

Opening email messages which are composed in HTML format and which contain the script will install the Internet worm on supported systems as previously describede. The HTA file is written to the local machine as is the HTML.

 

Removal Instructions

Use specified engine and DAT files for detection and removal.

Removal of this Internet worm consists of several steps:

* close email client(s)
* install the MS patch mentioned above
* remove the .HTA and/or .HTML files associated with this threat
* turn off 'preview pane' (optional)
* delete the default email signature setting (Tools/Options/Signature)
* delete messages which are not needed which may contain the embedded script

Users may also benefit by removing Windows Scripting Host from their Windows environment. To do this in Windows 9x, go to 'Control Panel' and choose 'Add/Remove Programs'. Click on the 'Windows Setup' tab and double click on 'Accessories'. Scroll down to 'Windows Script Host' and uncheck it and choose 'OK'. It may be necessary to reboot the system. For additional help or support, visit Microsoft's Support Site.

Users may also want to disable 'Active Scripting' in the 'Restricted Sites' zone and set E-Mail to run in the 'Restricted Sites' zone. To do this:

-open Internet Explorer
-choose the Tools menu
-choose Internet Options
-click the Security tab
-click the Restricted Sites icon
-click 'Custom Level'
-scroll down to 'Active Scripting' and set it to Disable or Prompt
-Click OK
-open Outlook
-choose the Tools menu
-choose Options
-click the Security Tab
-In the 'Security Zones' section, choose the 'Restricted Sites' zone

AVERT Recommended Updates:

* scriptlet.typelib/Eyedog vulnerability patch

* Malformed E-mail MIME Header vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit
this link for more information.

 

Aliases

Name

Kak.D

out.hta

tam.hta

VBS/Kakworm-D

VBS/Out.A@m