Size:32,768 bytes 
Origin:South Africa 
VDF Version:  

Technical DetailsThe Internet worm TR.Worm.Navidad is sent as email attachment from a contaminated computer. The attachment is named NAVIDAD.EXE. Because of a programming error, no application with .EXE extension will be able to run after the worm is activated.

Since January 2001 a new version of Navidad was released, known as W32.Navidad.B. It has the same payload as its predecessor, but it looks different. Instead of the eye-icon, this one has a flower-icon in the task bar.

When the worm is activated, an "Error" dialog box appears. While the supposed error message is shown, the Internet worm creates the file WINSVRC.VXD in %WINDOWS%\SYSTEM\ and changes the standard registry entry for the .EXE files:

C:\WINDOWS\SYSTEM\winsvrc.exe "%1" %*"

Thus, the worm should be activated any time an .EXE file is opened. But here the programmer has made a mistake: the file WINSVRC is made as .VXD instead of .EXE. So the system will not be able to run any .EXE application. Next, the worm makes a registry entry, to ensure its running on every system start (but here, too, the same mistake is made):

Win32BaseServiceMOD = C:\%ROOT%\System\winsvrc.exe

Finally, the worm writes the registry key:


As the "OK" button is pushed, the eye-icon appears on the task bar. Now you can see that the Internet worm has infected your computer. When the eye-icon is clicked, two windows appear and you confirm by pressing the "OK" button. If you have a MAPI-email client (using MAPI32.DLL) installed, the Internet worm infects the unread emails, places NAVIDAD.EXE as attachment and sends them back to the sender.
説明の挿入者 Crony Walker の 2004年6月15日火曜日

戻る . . . .
https:// このウィンドウは暗号化されています。