Worm.Semapi.a

該病毒運行的時候會彈出一個出錯訊息“無法定位semapi.dll,重新安裝即可解決該問題”來迷惑用戶,其實病毒會將自己拷貝到系統目錄和A-Z的固定磁碟、移動磁碟和遠程共享磁碟的根目錄中,在某些特定類型的檔案中收集郵件地址,並使用偽造的發信人向這些地址傳送帶有病毒的郵件,誘騙用戶打開附屬檔案,從而導致感染該病毒。

基本介紹

  • 中文名:Worm.Semapi.a
  • 外文名:Email-Worm.Win32.Semapi.a[AVP]
  • 威脅級別:★
  • 病毒類型蠕蟲
病毒名片,病毒行為,行為過程,

病毒名片

影響系統:Win9x / WinNT

病毒行為

這是一個通過電子郵件傳播的蠕蟲病毒

行為過程

1)建立一個互斥體“Dr. Doom”,防止病毒的多個實例同時運行。
2)將自己拷貝到:
%System%\AUTOEXE.exe
%System%\SKERNEL32.com
%SystemRoot%\Winbios.exe
%SystemRoot%\DRDOOM.EXE
3)添加註冊表啟動項:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"AUTOEXE" = "%System%\AUTOEXE.exe"
"KERNEL 32" = "%System%\SKERNEL32.com"
"Win32 Bios" = "%SystemRoot%\Winbios.exe"
4)病毒運行的時候彈出如下一個訊息視窗:
5)嘗試將自己拷貝到A-Z的固定磁碟、移動磁碟和遠程共享磁碟的根目錄中。
6)將下列內容添加到“win.ini”中以便在Windows 95/98/Me系統中實現自啟動:
[WINDOWS]
RUN=%SystemRoot%\DRDOOM.EXE
7)從下列類型的檔案中收集郵件地址
.htm*
.asp
.msg
.oft
.shtm*
.dbx
.tbb
.adb
.doc
.wab
.rtf
.vb*
.pl*
.ph*
.tx*
.eml
.js*
.wsh
.xm*
.ttf
8)向收集來的郵件地址傳送帶毒郵件
Ali
Allison
Allyson
Albert
Bob
Bobby
Catalin
Doug
Debby
Tom
Tommy
Michael
Larissa
Linsey
Lorena
George
Jim
Jimmy
James
Tim
Timmy
Seth
Veronica
Andre
Andrea
Allen
Amanda
Edward
Josh
Jay
Cari
Carly
Sonny
Andres
Trevor
Amy
Robert
Roberto
Rob
Jason
Anthony
Tony
Jeorge
Brittany
Britney
Melissa
Mel
Manual
Den
Denis
Shawn
Sean
Loren
Faviola
Devin
Devon
John
Jon
Jonny
Ron
Ronny
Rhonda
Sam
Samm
Sammantha
Mindy
Mike
Carlos
Juan
Mark
Hugo
Mat
後面接上下列某個域名
@aol.com
@yahoo.com
@mail.com
@hotmail.com
@fbi.gov
@cia.gov
@usa.com
@comcast.net
@teacher.net
@doctor.com
@help.org
@teens.org
@asia.com
@europe.com
@philippines.ph
@japan.jp
@england.uk
@gmail.com
@school.edu
@unknown.org
構成偽造的傳送郵件地址
可能的郵件主題:
Your data
Re: My docs
Re: MyLetter
Re: Screen Saver
Re: Test
Account Info
32bit Info
chkdizk32 preview
64bit color
gif fix
Re: Look...
Re: Im Sexxy :-p
Re: Whatever...
00000000000
.Bat update
Re: My File
.jpeg update
Re: My sexxy Pic..
Re: Sexxy
Im Sexxy..
Dr Worm
test :-)
可能的郵件正文:
Your data is attached.
My documents is in the attachments.
Plz read my letter in the attachments.
The screen saver you requested is attached.
ISP Test file 'lsszr32.pif' is attached.
Your account info is attached.
More info attached.
Chkdizk32 trial (32day).
64bit color update is attached.
.gif pictures attached.
Plz look at the file attached.
Told u im sexy... take a look at my pic in the attachments.
Whatever.... just look at the msg. attached.
260972396723672396340676067396727632907963
.bat update (MS-0010938)
Update included in the attachments.
My file that you wanted is attached.
.jpeg update attached.
My sexxy pic is attached... ;-) (call me)
Im sexxy... my phone # is attached. :-)
Look at my pic in the attachments.
Download Dr. Worm more info is attached.testing....
可能的附屬檔案名:
dat.exe
mydoc.exe
myletter.exe
scrsaver.scr
lsszr32.pif
acount.exe
info32.exe
chkdizk32.exe
64bitcolr.pif
Lkigif32.bat
plzlook.exe
sxygurl.pif
whtev3k32.exe
00000.cmd
win32bat.exe
myfile.exe
jpeg64bit.pif
sxxypic.pif
looksxyy.exe
omgtehsexxy.exe
drworm.bat
drdsk2k.cmd

熱門詞條

聯絡我們