W32.Navidad

Discovered on: November 3, 2000

Last Updated on: November 11, 2000 0 9:38:15 PM PST

 

 

W32.Navidad is a mass mailing worm program. The worm replies using MAPI to all Inbox messages that

contain a single attachment. This works with Microsoft Outlook. The worm utilizes the existing email

subject line and body and attaches itself as NAVIDAD.EXE. Due to the bugs in the code, after being

executed, the worm causes your system to be unusable.

 

 

Category: Worm

 

Virus definitions: November 6, 2000

 

Threat assessment:

 

Wild: High

Damage: High

Distribution: Medium 

 

Number of infections: More than 1000

Number of sites: More than 10

Geographical distribution: High

Threat containment: Moderate

Removal: Difficult

Damage

 

Payload:

Causes system instability: Improperly changes registry keys

Distribution

 

Subject of email: Uses existing subject lines

Name of attachment: NAVIDAD.EXE

Size of attachment: 32,768 bytes

Technical description:

 

NOTE: If you are running Windows 95 or Windows 98, it is assumed that Windows is located in

C:\WINDOWS. If you are running Windows NT or Windows 2000, it is assumed that Windows is located

in C:\WINNT. If Windows is installed in a different directory, make the appropriate substitutions.

 

When executed, the worm displays a dialog box with the cryptic letters:

 

UI

 

and the title:

 

Error

 

Then, if you are running Windows 95 or Windows 98, the worm adds the following registry key:

 

 

HKEY_USERS\.DEFAULT\Software\Navidad

 

If you are running Windows NT or Windows 2000, the worm adds the following registry key:

 

 

HKEY_CURRENT_USER\Software\Navidad

 

This key was supposed to be used to see if the computer was already infected. However, due to

bugs in the code, the registry key is not utilized.

 

Next, if you are running Windows 95 or Windows 98, the virus adds the following registry key:

 

HKLM\SOFTWARE\Microsoft\Windows\

CurrentVersion\Run

 

with the value:

 

 

Win32BaseServiceMOD=\Windows\System\

Winsvrc.exe

 

If you are running Windows NT or Windows 2000, the virus adds the following registry key:

 

 

HKLM\SOFTWARE\Microsoft\Windows\

CurrentVersion\Run

 

with the value:

 

 

Win32BaseServiceMOD=\Winnt\System32\

Winsvrc.exe

 

The worm copies itself into your Windows system directory as WINSVRC.VXD. Due to the

difference in file name, the virus does not execute properly at startup.

 

After the file has been copied, the worm modifies an additional registry key. If you

are running Windows 95 or Windows 98, the worm changes:

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\

exefile\shell\open\command

 

to equal:

 

 

\Windows\System\winsvrc.exe "%1" %*"

 

If you are running Windows NT or Windows 2000, the worm changes:

 

HKEY_CLASSES_ROOT\exefile\shell\

open\command

 

to equal:

 

 

\Winnt\System32\winsvrc.exe "%1" %*"

 

Due to the mistake in the file name, the system is unusable. Whenever an .exe file is

executed, the operating system prompts the user for the location of the file WINSVRC.EXE.

The net result of this is that no program files can be launched. This may cause system

instability and the system may have difficulty rebooting.

 

Next, the worm begins the email routine. The worm utilizes MAPI to send mail and works

with Microsoft Outlook. The worm checks for all messages in your Inbox and replies to

those messages that have one attachment. The reply consists of the same subject line

and body, but contains the worm attached as NAVIDAD.EXE.

 

Finally, the worm places a blue eye icon in the system tray of the taskbar. When the

mouse pointer is over the icon, the worm displays a yellow dialog box that states:

 

 

Lo estamos mirando...

(In English: We are watching it...)

 

When you click the icon, a dialog box with a button appears. The button contains the

following text:

 

Nunca presionar este boton

(In English: Never press this button)

 

If the user presses the button, an error box with the title

 

Feliz Navidad

(In English: Merry Christmas)

 

displays the message

 

 

Lamentablemente cayo en la tentacion y perdio su computadora

(In English: Unfortunately you've fallen to temptation and have lost your computer).

 

If you close the dialog box by clicking the X instead of clicking the button, the following

message appears:

 

buena eleccion

(In English: Good selection).

 

and exits. Despite the warning of losing the computer, no further changes are made to the system.