Alias:W32/Navidad@MM
Type:Worm 
Size:32.768 Bytes 
Origin: 
Date:01-10-2001 
Damage:Internet worm. Spreads by email, as attachment named Navidad.exe. 
VDF Version:6.23.00.00 
Danger:High 
Distribution:Low 

DistributionIf you use a MAPI email Client (using MAPI32.DLL), the Internet worm infects the unread emails, by attaching the file NAVIDAD.EXE and sends back all the emails to their senders.

Attachment: NAVIDAD.EXE

Technical DetailsBecause of a programming error, after the worm is activated, no .exe aplication can be performed.
When NAVIDAD.EXE is opened, a false Error window is displayed.
In this time, the worm creates the file WINSVRC.VXD in %WINDIR%\%SystemDIR%\ and changes the standard registry entries with .exe files:
[HKEY_CLASSES_ROOT\exefile\shell\open\command]C:\WINDOWS\SYSTEM\winsvrc.exe "%1" %*" Thus, the worm should be activated every time an .exe file is opened but, because of a programming error, no .exe application can be opened.

Then, an autostart registry entry is made (but the same error occurs):
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] Win32BaseServiceMOD = C:\%ROOT%\System\winsvrc.exe

A last registry entry is made:
[HKEY_CURRENT_USER\Software\Navidad]

After pressing the "OK" button, an eye-icon appears in Windows taskbar. When pressing this icon, two more messages appear:
"Nunca presionar este boton"
"Lamentablemente cayo en la tentacion y perdio su computadora"
An "OK" button can be pressed.
Descrição enviada por Crony Walker em terça-feira, 15 de junho de 2004

Voltar . . . .