W32/Semapi-A

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments Infected files
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	5 May 2005 21:12:39 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Semapi-A is a mass-mailing worm.

Once run the worm copies itself to the following locations:
%SYSTEM%\AUTOEXE.exe
%SYSTEM%\SKERNEL32.com
%WINDOWS%\Winbios.exe
%WINDOWS%\DRDOOM.EXE

The worm also creates the following registry entries to run itself on user logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AUTOEXE
%SYSTEM%\AUTOEXE.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
KERNEL 32
%SYSTEM%\SKERNEL32.com

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Bios
%WINDOWS%\Winbios.exe

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
RUN
%WINDOWS%\DRDOOM.EXE

W32/Semapi-A searches for email addresses in files in the current folder and the current user's Personal folder whose extension matches any of the following:

HTM*
ASP
MSG
OFT
SHTM*
DBX
TBB
ADB
DOC
WEB
ASP
RTF
VB*
PL*
PH*
TX*
EML
JS*
WSH
XM*
TTF

Emails sent by the worm have the following characteristics:

Subject line chosen from:

Your data
Re: My docs
Re: MyLetter
Re: Screen Saver
Re: Test
Account Info
32bit Info
chkdizk32 preview
64bit color
gif fix
Re: Look...
Re: Im Sexxy :-p
Re: Whatever...'
.Bat update
Re: My File
.jpeg update
Re: My sexxy Pic..
Re: Sexxy
Im Sexxy..
Dr Worm
test :-)

Message text chosen from:

Your data is attached.
My documents is in the attachments.
Plz read my letter in the attachments.
The screen saver you requested is attached.
ISP Test file 'lsszr32.pif' is attached.
Your account info is attached.
More info attached.
Chkdizk32 trial (32day).
64bit color update is attached.
.gif pictures attached.
Plz look at the file attached.
Told u im sexy... take a look at my pic in the attachments.
Whatever.... just look at the msg. attached.
Update included in the attachments.
My file that you wanted is attached.
.jpeg update attached.
My sexxy pic is attached... ;-) (call me)
Im sexxy... my phone # is attached. :-)
Look at my pic in the attachments.
Download Dr. Worm more info is attached.testing....

Attachment filename chosen from:

dat.exe
mydoc.exe
myletter.exe
scrsaver.scr
lsszr32.pif
acount.exe
info32.exe
chkdizk32.exe
64bitcolr.pif
Lkigif32.bat
plzlook.exe
sxygurl.pif
whtev3k32.exe
00000.cmd
win32bat.exe
myfile.exe
jpeg64bit.pif
sxxypic.pif
looksxyy.exe
omgtehsexxy.exe
drworm.bat
drdsk2k.cmd

The worm may also display a message box with the following message:

Unable to locate 'semapi.dll' reinstalling this application may fix this problem.

The also attempts to copy itself to the root folder of other drives.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Semapi-A

Summary

Action

More Information