W32/Tutiam.A is a memory resident worm. The worm will infect Windows systems and spreads through email and Internet Relay Chat (IRC).

The infected email carries a spoofed 'From' address picked up randomly from the infected system

The subject of the infected mail will be any one of the following;

<Blank>
Message from:
Nachricht von
Re:
Sweetheart ;)

The body of the infected mail will be any one of the following;

Adios Amigos!
Also, schreib mir was du denkst...
Archiv
Bis denne..
Byea...
Check_it_out_now
Creating a homepage is so much fun!
Cya..
Datei
Deine_Datei
DeinFile
Der Hammer :D...
Du solltest auch ne Homepage machen ;)
Eine Homepage zu machen ist echt fun!
Funny stuff :] check it!
Funny stuff in the archive, i luv it ;D
FunnyStuff
Gimme feedback what you think about my homepage!
Gut heh? ;D
Gute page, oder?! Ich arbeite weiter dran...
Guten Tag
h0t_shit
Hab eine einfache Homepage erstellt
Hab ne website gebastelt :)
Hallo
Have a nice day!!
Hehe, die Bilder im Archiv gefallen mir so richtig gut ;))
Hello
Here is your file...
Hey Dude!
Hey Kumpel!!
Heya,
Heya...
Hi, how are you,
Hier is ja deine Datei...
Hoy Hoy ;)
I build a website ;)
I create a simple homepage!!!
I played a little bit, and look what i have made:
I've made a homepage! Just some pictures, but i keep on working ;)
I've made a website...
Ich hab eine Webseite erstellt! Sind zwar nur ein paar Bilder, aber ich arbeite dran ;)
Ich hab mal ein bisschen gebastelt, und schau was draus geworden ist:
Ich hab ne Webseite gemacht...
Ich sag nur Anhang :]
Ja Man! Meine persoehnliche Website!!!!!
Let's do more stuff for my homepage ;D...
Look at my first homepage!
Man sieht sich!
Much fun with my page!
Na... was los?
Nerv mal nich so, schau dir den Anhang an!
Next time..
Nice heh!?!? ;D
Nice page, or not?! I keep on working...
No words, just look at it, hrhr.
Noch nich viel aber...
Not much but...
Sag mir was du von meiner allerersten Homepage haelst!
Schau dir das einfach mal an, da wird man doch crazy, oder???
Schau dir meine erste Homepage an!
Schau_es_dir_an
So, answer what you think...
So, ich bastel jetzt noch ne Runde weiter...
The file you asked for is attached!!
Tschau
Viel Spass noch mit der Page!
Was geht...
Was geht?!
Whassup...
Whats up?!
Yeah man! My personal website!!!
You should create a website too ;)
YourFile

Upon execution, the worm copies itself as strangler.exe, Tamiami.vbs, Tamiami.wrd and tamver.sys in the Windows folder. It also copies index.htm and Pictures.exe in the Windows\tamweb folder.

The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

This worm also propagates via Internet Relay Chat (IRC), by connecting to the following IRC servers:

eu.undernet.org
irc.dal.net
irc.efnet.org
irc.fr.ircnet.ne
irc.ircnet.ee
irc.quakenet.org
irc.rizon.net
irc.us.ircnet.ne
random.ircd.de
us.undernet.org

It then joins to a specific chatroom. While in the chatroom, the worm sends a private messages to all users containing a link to the Web site from where the copy of a worm may be downloaded.

The worm also searches for the files having the extension .zip and .rar on the infected system.

If found, it adds a copy of itself to the said archives that are not password protected.

This worm first appeared on July 22, 2006.

 Other names of W32/Tutiam.A Worm:

This Worm is also known as WORM_TUTIAM.A.