Question
Navidad (Christmas) virus/worm alert! (11/10/00)
|
W32/Navidad (Christmas) virus/worm alert! (11/10/00)
AnswerThis question was answered on November 10, 2000. Much of the information contained herein may have changed since posting. The W32/Navidad (Spanish for Christmas) virus/worm is on the spread and it is using Microsoft's Outlook e-mail program to do so. The worm will likely come from an email address that you will recognize and trust the sender. Attached is a file named NAVIDAD.EXE and when it is run, it displays a dialog box entitled, "Error" which reads "UI". A blue eye icon then appears in the system tray next to the clock in the lower right corner of the screen, and a copy of the worm is saved to the file "winsvrc.vxd" in the WINDOWS SYSTEM directory. If your PC becomes infected with the W32/Navidad worm and you are using Microsoft's Outlook e-mail program, every message from then on will be responded to automatically with an email from your address with the W32/Navidad worm as an attachment. This means you will unknowingly send it to everyone that you recieve a message from until you erradicate the worm from your system. The major anti-virus companies have posted updates on their various websites to combat this, so be sure to update your anti-virus definition file ASAP! If you find that you have been infected by this worm, you can download a zipped file from McAfee to repair your registry by <a href="http://www.mcafee.com/common/ssi/redir.asp?rc=444&url=http%3A%2F%2Fa868%2Eg%2Eakamai%2Enet%2F7%2F868%2F903%2F3595fc061a60f9%2Fdownload%2Emcafee%2Ecom%2Fproducts%2Fmcafee%2Davert%2Fstand%5Falone%2Fundo%2Ezip"><font color="#003399">Clicking Here! (Requires an unzip utility)</font></a> If you have a moderate technical background, here is THE TECHNICAL STUFF! When executed, the worm displays a dialog box with the cryptic letters: UI and the title: Error Then, the worm adds the following registry key: HKEY_USERS\.DEFAULT\Software\Navidad This key was supposed to be used to see if the computer was already infected. However, due to bugs in the code, the registry key is not utilized. Next, the virus adds the following registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the value: Win32BaseServiceMOD=\Windows\System\Winsvrc.exe The worm copies itself into your Windows system directory as WINSVRC.VXD. Due to the difference in file name, the virus does not execute properly at startup. After the file has been copied, the worm modifies an additional registry key. The worm changes: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command to equal: \Windows\System\winsvrc.exe "%1" %*" Due to the mistake in the file name, the system is unusable. Whenever an .exe file is executed, the operating system prompts the user for the location of the file WINSVRC.EXE. The net result of this is that no program files can be launched. This may cause system instability and the system may have difficulty rebooting. Next, the worm begins the email routine. The worm utilizes MAPI to send mail and works with Microsoft Outlook. The worm checks for all messages in your Inbox and replies to those messages that have one attachment. The reply consists of the same subject line and body, but contains the worm attached as NAVIDAD.EXE. Finally, the worm places a blue eye icon in the system tray of the taskbar. When the mouse pointer is over the icon, the worm displays a yellow dialog box that states: Lo estamos mirando... (In English: We are watching it...) When you click the icon, a dialog box with a button appears. The button contains the following text: Nunca presionar este boton (In English: Never press this button) If the user presses the button, an error box with the title Feliz Navidad (In English: Merry Christmas) displays the message Lamentablemente cayo en la tentacion y perdio su computadora (In English: Unfortunately you've fallen to temptation and have lost your computer). If you close the dialog box by clicking the X instead of clicking the button, the following message appears: buena eleccion (In English: Good selection). and exits. Despite the warning of losing the computer, no further changes are made to the system. Removal: (DO NOT ATTEMPT UNLESS YOU HAVE A GOOD WORKING KNOWLEDGE OF THE WINDOWS REGISTRY!!!) To remove W32.Navidad: On the Windows taskbar, click Start > Programs > MS-DOS Prompt. The command prompt will display the current directory, which should be the Windows directory. In most cases that will be displayed as: C:\WINDOWS> Type ren REGEDIT.EXE REGEDIT.COM. Press Enter. Type REGEDIT. Press Enter. Modify the following Registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command and change "C:\WINDOWS\SYSTEM\winsvrc.vxd "%1" %* to "%1" %* For clarity, these seven characters are the following: double quote, percent sign, the numeral one, double quote, space, percent sign, and asterisk. Don't forget the space. Delete the registry key: HKEY_USERS\.DEFAULT\Software\Navidad Restart your computer. Using Windows Explorer, delete the \WINDOWS\SYSTEM\winsvrc.vxd file.
AuthorPosted by Ken of Data Doctors on November 10, 2000
|
Privacy PolicySite contents © 1988-2008 by Data Doctors Franchise Systems Inc. All rights reserved. | 
Sitemap