Win32:Navidad

is an Internet worm. It spreads itself as an attachment to e-mail messages sent from an infected computer. It replies using MAPI to all Inbox messages that are marked as unread. This works with Microsoft Outlook. The worm utilizes the existing email subject line and body and attaches itself as NAVIDAD.EXE.

When executed, NAVIDAD.EXE saves itself under the name WINSVRC.VXD into the Windows system directory and then modifies several Registry items. It changes the default EXE file startup key
HKEY_CLASSES_ROOT\exe\file\shell\open\command
in order to be executed with every EXE file. The worm contains a bug which makes the Windows unusable after this change, because no EXE program could be started (this is similar to the PrettyPark worm after deleting it from the disk without Registry repair). Registry keys are created for the WINSVRC.EXE file but the worm is saved on the disk as WINSVRC.VXD.

The worm also tries to be activated on each Windows startup by creating the item in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
but it contains the same error as above so it cannot be activated after reboot.

After these modifications Navidad also creates "Navidad" key in the following section:
HKCU\Software

The worm displays a dialog box during execution. It has the title "Error" and contains just two letters "UI". Finally, the worm puts a blue eye icon into the system tray of the taskbar. When the mouse pointer is placed over the icon, the worm displays a yellow dialog box that says: "Lo estamos mirando..." (i.e. "We are watching it...").

When you click the icon, a dialog box with a button appears. The button contains the text: "Nunca presionar este boton" (i.e. "Never press this button").

If you press the button, an error box with the title "Feliz Navidad" (i.e. "Merry Christmas") displays the following message: "Lamentablemente cayo en la tentacion y perdio su computadora" (i.e. "Unfortunately you've fallen to temptation and have lost your computer").

If you close the dialog box by clicking the upper right cross instead of clicking the button, the text is displayed: "buena eleccion" (i.e. "good selection") and the worm terminates. Despite the warning of losing the computer, no further changes are made to the system.

Removal:
This worm could be removed from the infected system by the following steps. Please apply the following changes the the Registry: Using text editor, create a file called NAVIDAD.REG with the following lines in it:

REGEDIT4

[HKEY_CLASSES_ROOT\exe\file\shell\open\command]
@=""%1" %*"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Win32BaseServiceMOD" = ""

Save such file to the Windows folder of the affected system as the file "NAVIDAD.REG". You can also download such file here. Click on START|RUN and type in NAVIDAD.REG and press [Enter]. The program REGEDIT.EXE will be automatically launched and the Registry changes will be applied. If you have problem to run the REGEDIT.EXE program, please try to rename it from EXE to COM extension.

Then kill all "NAVIDAD" and "WINSVRC" tasks running in the system. At the end please delete both worm's files NAVIDAD.EXE and WINSVRC.VXD.

There are several variants which differ in the size of the attached file. Any avast! with VPS file dated after 16th November 2000 is able to detect this virus.

Viruses
Viruses in the Wild Windows viruses Older windows viruses 2002 Older windows viruses 2001 Older windows viruses 2000 Script viruses Macro viruses Virus report form Virus report summary Eicar Test File VPS history
Subscription Services
VPS (iAVS) Subscr. service
avast! Virus Cleaner
Home pageWeb site mapPrint this pagePrivacy policy
Copyright © 1988 - 2008 ALWIL Software a.s.
Home page