W32.Navidad is a mass-mailing worm program or virus, discovered in December 2000 that ran on Windows 95, Windows 98, Windows NT, and Windows 2000 systems.[1] It was designed to spread through email clients such as Microsoft Outlook[2] while masquerading as an executable electronic Christmas card.[3] Infected computers can be identified by blue eye icons which appear in the Windows system tray.[3]

Description

When the navidad.exe email attachment is run the files installs itself as "WINSVRC.VXD" in the \Windows\System directory. The worm modifies the default EXE file startup key in the Windows Registry, [HKEY_CLASSES_ROOT\exefile\shell\open\command], to allow the program to run any time any exe file is run. The worm also creates a startup key to ensure that it runs on startup. A bug in the Navidad virus installs the Registry Keys for "WINSVRC.EXE" even though the worm itself is installed with a .VXD file extension, as a result the worm prevents .exe files from running and does not run on startup.[4] The error "Windows cannot find winsvrc.exe" will be displayed instead.[5]

During installation a fake error message is displayed. After the user closes the message the identifiable blue eye icon appears on the system tray. Users who click on the eye icon will be presented with a dialog box that displays the text "Nunca presionar este boton" as a button. When clicked a variety of different messages, including one which states: "Emmanuel-God is with us!May god bless u.And Ash, Lk, and LJ!!"[3] and "Lamentablemente cayo en la tentacion y perdio si computadora" can be displayed depending on the version of the virus.

When the worm is activated it uses the MAPI32.DLL library to connect to a Microsoft Outlook or Exchange email to send itself to the email addresses of any unread emails in the user inbox.[4] This will send the worm to every address that sends the user an email until it is removed from the system.[6]

Because the original Navidad virus would fail to run a patched variant of the virus became more popular, due to being able to spread via email more effectively than the original virus. In some cases, Navidad.b would spread an "emanuel.exe" and install itself as "wintask.exe" in the Windows System directory to make it appear like a native Windows file.[7] The patched version of the virus fixed the issue that prevented exe files from running, instead allowing exe files to run as well as running the worm at the same time as initially intended.

Impact

The worm itself did not destroy data or seriously damage any infected computers, damage was limited to preventing exe files from running in the bugged version of the worm. This virus also did not spread as fast as other similar email worms such as Melissa or ILOVEYOU and caused limited disruptions in email services.[8] No known outages are attributed to the Navidad virus.

Antivirus researcher at McAfee, Vincent Gullotto, reported that at least 10 Fortune 500 companies had been infected by the worm, although he declined to specify which companies were impacted by the worm.[9]

References

  1. Cullison, David (2000-11-20). "Merry Christmas - The NAVIDAD Virus". giac.org: 1.
  2. "W32.Navidad". Symantec. Retrieved 27 February 2018.
  3. 1 2 3 "A short history of Christmas malware". Naked Security. 15 December 2010. Retrieved 27 February 2018.
  4. 1 2 "Worm:W32/Navidad Description | F-Secure Labs". www.f-secure.com. Retrieved 2022-04-05.
  5. "What is the Navidad email worm, and how do I get rid of it?". kb.iu.edu. Retrieved 2022-04-05.
  6. Doctors, Data. "Navidad (Christmas) virus/worm (Question 2585)| Data Doctors Free Help". Data Doctors Computer Services. Retrieved 2022-04-05.
  7. "Retooled Navidad virus on the loose". CNET. Retrieved 2022-04-06.
  8. "CNN.com - Technology - 'Navidad' computer virus poses moderate risk - November 10, 2000". us.cnn.com. Retrieved 2022-04-06.
  9. "A Not-So-Feliz 'Navidad'". www.cbsnews.com. Retrieved 2022-04-06.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.