Need help? Ask the community or hire an expert.
Go to Avira Answers
Size:32,768 bytes 
Origin:South Africa 
VDF Version:  

Technical DetailsThe Internet worm TR.Worm.Navidad is sent as email attachment from a contaminated computer. The attachment is named NAVIDAD.EXE. Because of a programming error, no application with .EXE extension will be able to run after the worm is activated.

Since January 2001 a new version of Navidad was released, known as W32.Navidad.B. It has the same payload as its predecessor, but it looks different. Instead of the eye-icon, this one has a flower-icon in the task bar.

When the worm is activated, an "Error" dialog box appears. While the supposed error message is shown, the Internet worm creates the file WINSVRC.VXD in %WINDOWS%\SYSTEM\ and changes the standard registry entry for the .EXE files:

C:\WINDOWS\SYSTEM\winsvrc.exe "%1" %*"

Thus, the worm should be activated any time an .EXE file is opened. But here the programmer has made a mistake: the file WINSVRC is made as .VXD instead of .EXE. So the system will not be able to run any .EXE application. Next, the worm makes a registry entry, to ensure its running on every system start (but here, too, the same mistake is made):

Win32BaseServiceMOD = C:\%ROOT%\System\winsvrc.exe

Finally, the worm writes the registry key:


As the "OK" button is pushed, the eye-icon appears on the task bar. Now you can see that the Internet worm has infected your computer. When the eye-icon is clicked, two windows appear and you confirm by pressing the "OK" button. If you have a MAPI-email client (using MAPI32.DLL) installed, the Internet worm infects the unread emails, places NAVIDAD.EXE as attachment and sends them back to the sender.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .