W32/Tame-C

Please follow the instructions for removing worms.

W32/Tame-C is a worm that attempts to spread by email and peer-to-peer
applications.

W32/Tame-C includes functionality to access the internet and communicate with a
remote server via HTTP.

When first run W32/Tame-C copies itself to:

<System>\lsa2srv.exe
<System>\service.exe
<System>\sysmng.exe
<System>\systm.exe

and creates the following files:

<Temp>\Document
<System>\hserv.sys
<System>\iexplor.dll
<System>\iexplor2.dll
<System>\netdx.dat
<System>\version.ini

The following registry entries are created to run lsa2srv.exe, service.exe and
sysmng.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
lsa Services
<System>\lsa2srv.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
servicemng
<System>\service.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Manager
<System>\sysmng.exe

W32/Tame-C sets the following registry entries, disabling the automatic startup
of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Emails sent by W32/Tame-C have the following characteristics:

Subject line:

Re: Your document
Re: Virus Sample
Re: Thank you for delivery
Re: Submit a Virus Sample
Re: Status
Re: SMTP Server
Re: Sex pictures
Re: Secure SMTP Message
Re: Secure delivery
Re: Sample
Re: Request
Re: Question
Re: Protected Mail System
Re: Protected Mail Request
Re: Protected Mail Delivery
Re: Proof of concept
Re: Old times
Re: Old photos
Re: Notify
Re: Message Error'
Re: Message
Re: Mail Server
Re: Mail Authentification
Re: List
Re: Its me
Re: Is that your document?
Re: Hi
Re: Hello
Re: Free porn
Re: Failure
Re: Extended Mail System
Re: Extended Mail
Re: Error in document
Re: Error
Re: Encrypted Mail
Re: Developement
Re: Delivery Protection
Re: Delivery Server
Re: Bad Request
Re: Approved document
Re: Administration
Administrator
Server Report
Mail Transaction Failed
Attention!!!
Mail Delivery System
Do not reply to this email
Good day

Message text:

"Try this game ;-)
I hope the patch works."

"I found this document about you.
I cannot believe that.Congratulations!,
your best friend."

"Best wishes,
your friend."

"The sample file you sent contains a new virus version of mydoom.j.
Please
clean your system with the attached signature.
Sincerly,
Robert Ferrew"

"The file is protected with the password ghj001.
I have attached your file.
Your password is jkl44563."

"Your mail account has been closed.
For further details see the document."

"Your mail account is expired.
See the details to reactivate it."

"You have visited illegal websites.
I have a big list of the websites you surfed."

"I noticed that you have visited illegal websites.
See the name in the list!"

"Greetings from france,
your friend.
Have a look at these."

"Your requested mail has been attached."

"Your photo, uahhh.... , you are naked!"

"Your important document, correction is finished!"

"Your file is attached."

"Your document is attached."

"Your details."

"Your bill is attached to this mail."

"your big love, ;-)"

"Your archive is attached."

"You were registered to the pay system."

"You have written a very good text, excellent, good work!"

"You have received an extended message. Please read the instructions."

"You have downloaded these illegal cracks?"

"You got a new message."

"Waiting for authentification."

"Waiting for a Response. Please read the attachment."

"Try this, or nothing!"

"The sample is attached!"

"Thanks!"

"Thank you for your request, your details are attached!"

"SMTP: Please confirm the attached message."

"SMTP Error #201"

"Server Error #203"

"See the file."

"Secure Mail System Beta Test."

"Requested file."

"Protected message is available."

"Protected message is attached."

"Protected Mail System Test."

"Please see the attached file for details"

"Please read the important document."

"Please read the document."

"Please read the attachment to get the message."

"Please read the attached file."

"Please read the attached file!"

"Please r564g!he4a56a3haafdogu#mfn3o"

"Please confirm!"

"Please confirm the document."

"Please confirm my request."

"Please authenticate the secure message."

"Please answer quickly!"

"Partial message is available."

"Now a new message is available."

"New message is available."

"My favourite page."

"Monthly news report."

"Message has been sent as a binary attachment."

"lovely, :-)"

"Let'us be short: you have no experience in writing letters!!!"

"Important message, do not show this anyone!"

"I hope you accept the result!"

"I have visited this website and I found you in the spammer list. Is that true?"

"I have received your document. The corrected document is attached."

"I have corrected your document."

"I have attached your document."

"I have attached the sample."

"I have attached it to this mail."

"Here is the website. ;-)"

"Here is my phone number."

"Here is my icq list."

"Here is it!"

"Forwarded message is available."

"For more details see the attachment."

"For further details see the attachment."

"Follow the instructions to read the message."

"First part of the secure mail is available."

"Do not visit this illegal websites!"

"Authentication required."

"9u049u89gh89fsdpokofkdpbm3-4i"

"Mail transaction failed. Partial message is available."

"The message contains Unicode characters and has been sent as a binary
attachment."

"The message cannot be represented in 7-bit ASCII encoding and has been sent as
a binary attachment."

"Do not visit these sites!!!"

"You have visited illegal websites.
I have a big list of the websites you
surfed."

"You think it's funny? You are stupid idiot!!! I'll send the attachment to your
ISP and then I'll be watching how you will go to jail, punk!!!"

"Your credit card was charged for $500 USD. For additional information see the
attachment"

"am shocked about your document!"

"Are you a spammer? (I found your email on a spammer website!?!)"

"Bad Gateway: The message has been attached.'"

"Attention! New self-spreading virus!
Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast
via e-mail and P2P networks. It's about two million people infected and it will
be more.
To avoid your infection by this virus and to stop it we provide you with full
information how to protect yourself against it and also including free remover.
Your can find it in the attachment.

2004 Networks Associates Technology, Inc. All Rights Reserved"

"New terms and conditions for credit card holders
Here a new terms and conditions for credit card holders using a credit cards
for making purchase in the Internet in the attachment. Please, read it
carefully. If you are not agree with new terms and conditions do not use your
credit card in the World Wide Web.

Thank you,
The World Bank Group
2004 The World Bank Group, All Rights Reserved"

"Thank you for registering at WORLDXXXPASS.COM
All your payment info, login and password you can find in the attachment file.

It's a real good choise to go to WORLDXXXPASS.COM"

"Attention! Your IP was logged by The Internet Fraud Complaint Center
Your IP was logged by The Internet Fraud Complaint Center. There was a fraud
attempt logged by The Internet Fraud Complaint Center from your IP. This is a
serious crime, so all records was sent to the FBI.
All information you can find in the attachment. Your IP was flagged and if
there will be anover attemption you will be busted.

Federal Bureau of Investigation and the National White Collar Crime Center"

"Here is your documents you are requested."

"ESMTP [Secure Mail System #334]: Secure message is attached."

"Encrypted message is available."

"Delivered message is attached."

"Can you confirm it?"

"Binary message is available."

Attachment extensions:

pif
bat
cmd
exe
scr

W32/Tame-C attempts copy itself to shared folders for the KaZaa, Morpheus,
iMesh, eDonkey and LimeWire peer-to-peer applications, with the following
filenames:

How to Crack all gamez
DSL Modem Uncapper.rar
dreamweaver MX (crack)
Deutsch BloodPatch!
Britney spears nude
avpprokey
Ad-awareref01R344
winxp_sp2patch
adultsitespasswds
dcom_patch
K-LiteCodecPack2.32a
activation_crack
icq2004-final
winamp5

The file extension is randomly chosen from the following:

.pif
.scr
.exe
.bat

W32/Tame-C attempts to disable various security and firewall products. The worm
also modifies the system HOSTS file in order to prevent access to certain
websites.