W32/Navidad (Christmas) virus/worm alert! (11/10/00)

Navidad (Christmas) virus/worm alert! (11/10/00)

This question was answered on November 10, 2000. Much of the information contained herein may have changed since posting.

---

The W32/Navidad (Spanish for Christmas) virus/worm is on the spread and it is using Microsoft's Outlook e-mail program to do so.

The worm will likely come from an email address that you will recognize and trust the sender Attached is a file named NAVIDAD.EXE and when it is run, it displays a dialog box entitled, "Error" which reads "UI" A blue eye icon then appears in the system tray next to the clock in the lower right corner of the screen, and a copy of the worm is saved to the file "winsvrc.vxd" in the WINDOWS SYSTEM directory

If your PC becomes infected with the W32/Navidad worm and you are using Microsoft's Outlook e-mail program, every message from then on will be responded to automatically with an email from your address with the W32/Navidad worm as an attachment This means you will unknowingly send it to everyone that you recieve a message from until you erradicate the worm from your system.

The major anti-virus companies have posted updates on their various websites to combat this, so be sure to update your anti-virus definition file ASAP!

If you find that you have been infected by this worm, you can download a zipped file from McAfee to repair your registry by <a href="http://www.mcafee.com/common/ssi/redir.asp?rc=444&urlhttp://a868.g.akamai.net/7/868/903/3595fc061a60f9/download.mcafee.com/products/mcafee-avert/stand_alone/undo.zip"><font color="#003399">Clicking Here! (Requires an unzip utility)</font></a>

If you have a moderate technical background, here is THE TECHNICAL STUFF!

When executed, the worm displays a dialog box with the cryptic letters:

UI

and the title:

Error

Then, the worm adds the following registry key:

HKEY_USERS\.DEFAULT\Software\Navidad

This key was supposed to be used to see if the computer was already infected However, due to bugs in the code, the registry key is not utilized

Next, the virus adds the following registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

with the value:

Win32BaseServiceMOD=\Windows\System\Winsvrc.exe

The worm copies itself into your Windows system directory as WINSVRC.VXD Due to the difference in file name, the virus does not execute properly at startup

After the file has been copied, the worm modifies an additional registry key The worm changes:

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command

to equal:

\Windows\System\winsvrc.exe "%1" %*"

Due to the mistake in the file name, the system is unusable Whenever an .exe file is executed, the operating system prompts the user for the location of the file WINSVRC.EXE The net result of this is that no program files can be launched This may cause system instability and the system may have difficulty rebooting

Next, the worm begins the email routine The worm utilizes MAPI to send mail and works with Microsoft Outlook The worm checks for all messages in your Inbox and replies to those messages that have one attachment The reply consists of the same subject line and body, but contains the worm attached as NAVIDAD.EXE

Finally, the worm places a blue eye icon in the system tray of the taskbar When the mouse pointer is over the icon, the worm displays a yellow dialog box that states:

Lo estamos mirando...

(In English: We are watching it...)

When you click the icon, a dialog box with a button appears The button contains the following text:

Nunca presionar este boton

(In English: Never press this button)

If the user presses the button, an error box with the title

Feliz Navidad

(In English: Merry Christmas)

displays the message

Lamentablemente cayo en la tentacion y perdio su computadora

(In English: Unfortunately you've fallen to temptation and have lost your computer)

If you close the dialog box by clicking the X instead of clicking the button, the following message appears:

buena eleccion

(In English: Good selection)

and exits Despite the warning of losing the computer, no further changes are made to the system

Removal: (DO NOT ATTEMPT UNLESS YOU HAVE A GOOD WORKING KNOWLEDGE OF THE WINDOWS REGISTRY!!!)

To remove W32.Navidad:

On the Windows taskbar, click Start > Programs > MS-DOS Prompt The command prompt will display the current directory, which should be the Windows directory In most cases that will be displayed as:

C:\WINDOWS>

Type ren REGEDIT.EXE REGEDIT.COM

Press Enter

Type REGEDIT

Press Enter

Modify the following Registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command

and change

"C:\WINDOWS\SYSTEM\winsvrc.vxd "%1" %*

to

"%1" %*

For clarity, these seven characters are the following: double quote, percent sign, the numeral one, double quote, space, percent sign, and asterisk Don't forget the space

Delete the registry key:

HKEY_USERS\.DEFAULT\Software\Navidad

Restart your computer

Using Windows Explorer, delete the \WINDOWS\SYSTEM\winsvrc.vxd file

About the author

Posted by Ken Colburn of Data Doctors on November 10, 2000

Need Help with this Issue?

We help people with technology! It's what we do.
Contact or Schedule an Appointment with a location for help!