The Internet worm TR.Worm.Navidad is sent as email attachment from a contaminated computer. The attachment is named NAVIDAD.EXE. Because of a programming error, no application with .EXE extension will be able to run after the worm is activated.
Since January 2001 a new version of Navidad was released, known as W32.Navidad.B. It has the same payload as its predecessor, but it looks different. Instead of the eye-icon, this one has a flower-icon in the task bar.
When the worm is activated, an "Error" dialog box appears. While the supposed error message is shown, the Internet worm creates the file WINSVRC.VXD in %WINDOWS%\SYSTEM\ and changes the standard registry entry for the .EXE files:
C:\WINDOWS\SYSTEM\winsvrc.exe "%1" %*"
Thus, the worm should be activated any time an .EXE file is opened. But here the programmer has made a mistake: the file WINSVRC is made as .VXD instead of .EXE. So the system will not be able to run any .EXE application. Next, the worm makes a registry entry, to ensure its running on every system start (but here, too, the same mistake is made):
Win32BaseServiceMOD = C:\%ROOT%\System\winsvrc.exe
Finally, the worm writes the registry key:
As the "OK" button is pushed, the eye-icon appears on the task bar. Now you can see that the Internet worm has infected your computer. When the eye-icon is clicked, two windows appear and you confirm by pressing the "OK" button. If you have a MAPI-email client (using MAPI32.DLL) installed, the Internet worm infects the unread emails, places NAVIDAD.EXE as attachment and sends them back to the sender.
說明撰寫者 Crony Walker 開啟 2004年6月15日星期二