TrendMicro: WORM_SEMAPI.A

WORM_SEMAPI.A is a non-destructive, memory-resident worm that propagates via email. It is currently spreading in-the-wild and infecting computers that are running Windows 98, ME, NT, 2000, and XP.

Upon execution, this worm drops a copies of itself in the Windows folder as DRDOOM.EXE and WINBIOS.EXE. It also drops AUTOEXE.EXE and SKERNEL32.COM in the Windows system folder as part of its installation routine. It creates several registry entries to ensure that it automatically executes at every system startup.

This worm propagates by sending a copies of itself to email addresses gathered from the infected machine using Messaging Application Program Interface (MAPI) functions. It derives the email addresses it gathers from files with the following extension names:

* adb
* asp
* dbx
* doc
* eml
* htm*
* js*
* msg
* oft
* ph*
* pl*
* rtf
* shtm*
* tbb
* tx*
* vb*
* wab
* wsh
* xm*

It sends messages with several specific combinations of common names, domains, message bodies, subject lines, and attachments. To read the full list of possible combinations, view the Technical Details.

This worm displays a message box containing the following message:

Unable to locate 'semapi.dll' reinstalling this application may fix this problem.

If you would like to scan your computer for WORM_SEMAPI.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_SEMAPI.A is detected and cleaned by Trend Micro pattern file #2.616.08 and above.