Worm.Tamiami v1.3
by DiA

See also the project folder

\\                                                                                        //
//                                                                                        \\
\\                                    Tamiami Worm                                        //
//                                    Version  1.3                                        \\
\\                                      coded by                                          //
//                                         DiA                                            \\
\\                             Ready Rangers Liberation Front                             //
//                  DiA_hates_machine@gmx.de - http://www.vx-dia.de.vu/                   \\
\\                                                                                        //

// Disclaimer
     I am not responsible for anything that you do with this source. So take care when you
    want to test this or parts of this code. If you don't know how to handle malware, please
    close this for your and others pleasure.

// Intro
     Welcome to my best and biggest creation. It spreads via several ways, wich i describe
    here. Also it has some nice features, and still more to come. When you look at the
    source code, you will see that some functions are not used. Thats because i decided
    that simpler is better for this worm. As example the autostart function, in the first
    version of Tamiami it was able to infect an autostart application. But now it has a tool
    included that make termination of the worm harder, but read later about it. I am sure
    I will make some more versions of the worm, because I have still much ideas.

// HTTP Server
     The worm has it's own HTTP server, that can provide a website at the infected computer.
    The HTTP server is used for mail spreading via a spoofed link, and spreading via IRC and
    mIRC. Read on for that.

// Website creator
     Yes, thats right, the worm creates a website on an infected computer. For that it get's
    three pictures from user's "My Pictures" folder. It then creates HTML code that contain
    the pictures, sublinks to enlarge it, and a link to the worm binary, tarned as an
    selfextracting archive, containing more pictures.

// Mail spreading via spoofed link
     The worm has now only mail spreading via simple MAPI (SMTP version in progress). The
    worm send's a mail with the spoofed link to an infecting computer (where the website
    is) to all mail addresses that can be found in the inbox of Outlook.

// Spoofed link
     Tamiami send's only spoofed links (Mail, IRC, mIRC). The IP of the infected machine
    is spoofed by the http://user:pass@IP(in %hex) formation.

// Mail spreading via attachment
     If mail spreading via spoofed link failed (eg can't run HTTP server), the worm send's
    mails to all addresses in inbox of Outlook with a binary of the worm attached.

// Disabling MAPI warning
     For sending mail's without a warning by Outlook the worm disables it via an entry in 
    the registry.

// Extract mail addresses
     The worm read's mail addresses from the Outlook inbox and store the addresses as files
    in a folder. Why that? If you do it via files, you have no victim address twice, and
    invalid file names mean invalid mail addresses.

// Two languages
     The worm is able to spread via two languages, german if system is a german one,
    otherwise english. Spreads via two languages in mail spreading, zip & rar spreading,
    also it creates website and spoofed links in two languages.

// Autostart
     As I sayed in the intro, the worm has a simple autostart, via a entry in the registry.
    Other functions for autostart can be found in the documentation.

// Creating a mutex
     To not run twice the worm creates a mutex. Before it do it's action it checks if the
    mutex already exist, if so the worm terminate it's process, because it already run.

// Update Tamiami
     The worm is able to update itself, if a newer version come to system, and an older
    already exist, the worm update itself on it.

// Disabling XP firewall
     The firewall that comes with XP SP2 will be disabled by the worm, via an entry in the

// Drive spreading
     The worm checks every drive from B:\ to Z:\ if it's a remote drive (fixed share). If
    so it copy's the worm binary with a random name.

// RAR & ZIP worm
     Tamiami search on all fixed drives (remote or local) for all ZIP and RAR archives.
    If it found one, the worm add's itself with an random name to the archive.

// IRC spreading
     Tamiami connects to 6 of the biggest IRC server and join channels with much people
    inside and idle there. It recocnize when a user join a channel, and then it send's
    a private message with a spoofed link to the infected PC and it's website. If worm
    get's kicked or banned it joins a new channel and spreads there.

// mIRC spreading
     When mIRC is running the worm loads a script dynamicly into mIRC. The script spread
    the worm binary via DCC when someone join a channel.

// IRC backdoor
     Inside the worm there is also an IRC backdoor, not for criminal intend, but maybe
    to clean infected machines if this worm is outbreak. The bot only have raw, quit,
    version and download and execute commands.

// DOC infection
     The worm drop's a .vbs file that insert code in Word's Normal.dot template, that
    code infects every opened .doc file with a small dropper code and the worm binary.

// Take car for me
     To avoid termination, the worm drop's my tool "TakeCareOnMe" to disk, and execute it
    with the worm path as parameter. That way, it restart's Tamiami when it got's

// Payload
     The payload activte on September 17 every year. Then it prints random text with random
    color and random position to the screen. The loop is infinite, so very annoying. And
    if worm is terminated, it get restarted by TakeCareOnMe.

// Outro
     Hope that "read me" covers all features of the worm, to get an closer look you can look
    at the big documentation "_Ver_Inc_Docu.h". I am sure in near or far future you will see
    a newer version of this worm. So long, have fun with this code.

                                                                    DiA/RRLF - 16.06.2006