概述
病毒別名:Email-Worm.Win32.Semapi.a【AVP】
處理時間:
威脅級別:★
中文名稱:
病毒類型:蠕蟲
影響系統:Win9x /WinNT
病毒行為:
特性
這是一個通過電子郵件傳播的蠕蟲病毒。該病毒運行的時候會彈出一個出錯訊息“無法定位semapi.dll,重新安裝即可解決該問題”來迷惑用戶,其實病毒會將自己拷貝到系統目錄和A-Z的固定磁碟、移動磁碟和遠程共享磁碟的根目錄中,在某些特定類型的檔案中收集郵件地址,並使用偽造的發信人向這些地址傳送帶有病毒的郵件,誘騙用戶打開附屬檔案,從而導致感染該病毒。
1)建立一個互斥體“Dr. Doom”,防止病毒的多個實例同時運行。
2)將自己拷貝到:
%System%\autoexe.exe
%System%\SKERNEL32.com
%SystemRoot%\Winbios.exe
%SystemRoot%\DRDOOM.EXE
3)添加註冊表啟動項:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"AUTOEXE" = "%System%\AUTOEXE.exe"
"KERNEL 32" = "%System%\SKERNEL32.com"
"Win32 Bios" = "%SystemRoot%\Winbios.exe"
4)病毒運行的時候彈出如下一個訊息視窗:
5)嘗試將自己拷貝到A-Z的固定磁碟、移動磁碟和遠程共享磁碟的根目錄中。
6)將下列內容添加到“win.ini”中以便在Windows 95/98/Me系統中實現自啟動:
【WINDOWS】
RUN=%SystemRoot%\DRDOOM.EXE
7)從下列類型的檔案中收集郵件地址
.htm* .asp .msg .oft .shtm* .dbx.tbb ,.adb ,.doc ,.wab ,.rtf .vb* .pl* .ph* .tx* .eml .js* .wsh .xm* .ttf
8)向收集來的郵件地址傳送帶毒郵件
Ali ,Allison ,Allyson ,Albert ,Bob ,Bobby ,Catalin ,Doug ,Debby ,Tom ,Tommy ,Michael
Larissa ,Linsey ,Lorena ,George ,Jim ,Jimmy ,James ,Tim ,Timmy ,Seth ,Veronica ,Andre
Andrea ,Allen ,Amanda ,Edward ,Josh ,Jay ,Cari ,Carly ,Sonny ,Andres ,Trevor ,Amy ,Robert
Roberto ,Rob ,Jason ,Anthony ,Tony ,Jeorge ,Brittany ,Britney ,Melissa ,Mel ,Manual ,Den
Denis ,Shawn ,Sean ,Loren ,Faviola ,Devin ,Devon ,John ,Jon ,Jonny ,Ron ,Ronny ,Rhonda
Sam ,Samm ,Sammantha ,Mindy ,Mike ,Carlos ,Juan ,Mark ,Hugo ,Mat
後面接上下列某個域名
@aol.com ,@yahoo.com ,@mail.com ,@hotmail.com ,@fbi.gov ,@cia.gov ,@usa.com ,@comcast.net
@teacher.net ,@doctor.com ,@help.org ,@teens.org ,@asia.com ,@europe.com ,@philippines.ph
@japan.jp ,@england.uk ,@gmail.com ,@school.edu ,@unknown.org
構成偽造的傳送郵件地址
可能的郵件主題:
Your data
Re: My docs
Re: MyLetter
Re: Screen Saver
Re: Test
Account Info
32bit Info
chkdizk32 preview
64bit color
gif fix
Re: Look...
Re: Im Sexxy :-p
Re: Whatever...
00000000000
.Bat update
Re: My File
.jpeg update
Re: My sexxy Pic..
Re: Sexxy
Im Sexxy..
Dr Worm
test :-)
可能的郵件正文:
Your data is attached.
My documents is in the attachments.
Plz read my letter in the attachments.
The screen saver you requested is attached.
ISP Test file 'lsszr32.pif' is attached.
Your account info is attached.
More info attached.
Chkdizk32 trial (32day).
64bit color update is attached.
.gif pictures attached.
Plz look at the file attached.
Told u im sexy... take a look at my pic in the attachments.
Whatever.... just look at the msg. attached.
260972396723672396340676067396727632907963
.bat update (MS-0010938)
Update included in the attachments.
My file that you wanted is attached.
.jpeg update attached.
My sexxy pic is attached... ;-) (call me)
Im sexxy... my phone # is attached. :-)
Look at my pic in the attachments.
Download Dr. Worm more info is attached.testing....
可能的附屬檔案名:
dat.exe
mydoc.exe
myletter.exe
scrsaver.scr
lsszr32.pif
acount.exe
info32.exe
chkdizk32.exe
64bitcolr.pif
Lkigif32.bat
plzlook.exe
sxygurl.pif
whtev3k32.exe
00000.cmd
win32bat.exe
myfile.exe
jpeg64bit.pif
sxxypic.pif
looksxyy.exe
omgtehsexxy.exe
drworm.bat
drdsk2k.cmd
