需要修復電腦?
聘請專家
Alias:W32/Navidad@M
Type:Worm 
Size:32,768 bytes 
Origin:South Africa 
Date:01-10-2001 
Damage: 
VDF Version:  
Danger:High 
Distribution:Low 

Technical DetailsThe Internet worm TR.Worm.Navidad is sent as email attachment from a contaminated computer. The attachment is named NAVIDAD.EXE. Because of a programming error, no application with .EXE extension will be able to run after the worm is activated.

Since January 2001 a new version of Navidad was released, known as W32.Navidad.B. It has the same payload as its predecessor, but it looks different. Instead of the eye-icon, this one has a flower-icon in the task bar.

When the worm is activated, an "Error" dialog box appears. While the supposed error message is shown, the Internet worm creates the file WINSVRC.VXD in %WINDOWS%\SYSTEM\ and changes the standard registry entry for the .EXE files:

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
C:\WINDOWS\SYSTEM\winsvrc.exe "%1" %*"

Thus, the worm should be activated any time an .EXE file is opened. But here the programmer has made a mistake: the file WINSVRC is made as .VXD instead of .EXE. So the system will not be able to run any .EXE application. Next, the worm makes a registry entry, to ensure its running on every system start (but here, too, the same mistake is made):

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
Win32BaseServiceMOD = C:\%ROOT%\System\winsvrc.exe

Finally, the worm writes the registry key:

[HKEY_CURRENT_USER\Software\Navidad]

As the "OK" button is pushed, the eye-icon appears on the task bar. Now you can see that the Internet worm has infected your computer. When the eye-icon is clicked, two windows appear and you confirm by pressing the "OK" button. If you have a MAPI-email client (using MAPI32.DLL) installed, the Internet worm infects the unread emails, places NAVIDAD.EXE as attachment and sends them back to the sender.
說明撰寫者 Crony Walker 開啟 2004年6月15日星期二

返回 . . . .
https:// 為了你的安全,此視窗已加密。