Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Alias:W32/Navidad@M
Type:Worm 
Size:32,768 bytes 
Origin:South Africa 
Date:01-10-2001 
Damage: 
VDF Version:  
Danger:High 
Distribution:Low 

Technical DetailsThe Internet worm TR.Worm.Navidad is sent as email attachment from a contaminated computer. The attachment is named NAVIDAD.EXE. Because of a programming error, no application with .EXE extension will be able to run after the worm is activated.

Since January 2001 a new version of Navidad was released, known as W32.Navidad.B. It has the same payload as its predecessor, but it looks different. Instead of the eye-icon, this one has a flower-icon in the task bar.

When the worm is activated, an "Error" dialog box appears. While the supposed error message is shown, the Internet worm creates the file WINSVRC.VXD in %WINDOWS%\SYSTEM\ and changes the standard registry entry for the .EXE files:

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
C:\WINDOWS\SYSTEM\winsvrc.exe "%1" %*"

Thus, the worm should be activated any time an .EXE file is opened. But here the programmer has made a mistake: the file WINSVRC is made as .VXD instead of .EXE. So the system will not be able to run any .EXE application. Next, the worm makes a registry entry, to ensure its running on every system start (but here, too, the same mistake is made):

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
Win32BaseServiceMOD = C:\%ROOT%\System\winsvrc.exe

Finally, the worm writes the registry key:

[HKEY_CURRENT_USER\Software\Navidad]

As the "OK" button is pushed, the eye-icon appears on the task bar. Now you can see that the Internet worm has infected your computer. When the eye-icon is clicked, two windows appear and you confirm by pressing the "OK" button. If you have a MAPI-email client (using MAPI32.DLL) installed, the Internet worm infects the unread emails, places NAVIDAD.EXE as attachment and sends them back to the sender.
Descrizione inserita da Crony Walker su martedì 15 giugno 2004

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.