Navidad | |
---|---|
Type | Mass-mailer worm |
Creator | |
Date Discovered | 2000.11.03 |
Place of Origin | South America |
Source Language | C++ |
Platform | MS Windows |
File Type(s) | .exe |
Infection Length | 32,768 bytes |
Reported Costs |
Navidad is a mass-mailer worm that displays messages in Spanish. The worm is capable of making the computer unusable and whether or not this is intentional is uncertain, as the code has numerous bugs. "Navidad" means "Christmas" in Spanish. It ended up causing very little actual damage as it alerted users of its presence from the time it infected the system and only became destructive if it was not removed quickly.
Behavior
Navidad arrives in an email that appears to be a reply from someone the user has sent mail to.
When Navidad is executed, it displays a dialog box entitled "Error" and the letters "UI". It checks for a registry key that determines whether the computer is already infected with the worm. If the user is running Windows 9x or ME, this key will be a users registry key, \.DEFAULT\Software\Navidad and under Windows NT, 2000 and XP it will be a current user registry key, \Software\Navidad. The author may have intended for this key to be used for the worm to check if the machine was already infected, but due to bugs in the code it is never used. It then adds the value "Win32BaseServiceMOD=(system folder\Winsvrc.exe" to the registry key that causes it to run on startup.
It then copies itself to the system folder as Winsvrc.vxd. It adds the value "\(system folder)\winsvrc.exe %1 %*" to two registry keys that will cause winsvrc.exe to run whenever an .exe file is run. This makes the computer unusable, as the file is copied as Winsvrc.vxd, while the computer will look for Winsvrc.exe. The computer will prompt the user to find the file Winsvrc.exe, making it impossible to launch files or even start the system.
Navidad then begins mailing itself. Using the MAPI protocol to spread, it can work with many types of email clients, including Microsoft Outlook. Navidad checks for all messages in the inbox and sends itself as a reply to any message with an attachment. The reply contains the same subject and body as the original message, but with NAVIDAD.EXE added as an attachment.
Navidad then places an icon of a blue eye in the task bar system tray. When the mouse is pointed over the icon, a yellow dialog box with the text "Lo estamos mirando…" (English: We are watching you). When the icon is clicked on a dialog box with a button with the text "Nunca presionar este boton" (English: never press this button) appears. When the button is pressed, an error box with title "Feliz Navidad" (English: Merry Christmas) appears with the text "Lamentablemente cayo en la tentacion y perdio su computadora (English: Unfortunately you've fallen to temptation and have lost your computer). If the user presses the "X" at the top right of the screen, the message of "buena eleccion" (English: good choice) appears and it exits.
Effects
While the worm does have the ability to render a computer unusable, many antivirus experts have said that the worm can be easily removed with little damage if caught early.
10 Fortune 500 companies reported worm infections. The worm is reported to have struck Intel and ExxonMobil. 20 members of the Law Society of Singapore reported receiving an attachment named Navidad.exe, that would have similar effects as Navidad.
Origin
The exact origin of the worm is uncertain, but the language its messages are in suggests that it comes from Spain or Latin America. A McAfee researcher said that many infected emails seem to come from Brazil, although this country is one of the few in Latin America that speaks Portuguese and not Spanish.
Sources
Eric Chien, Symantec.com "W32.Navidad"
AsiaWeek.com Technology, VIRUS: Lawyer e-Bashing In Singapore. 2000.12.08 (Bottom of page)
Linda Harrison. The Register, Intel victim of pesky pre-Chrimbo computer virus. 2000.11.10
Erich Luening. CNet, Christmas virus causes mild clamor on the desktop 2000.11.10
Michelle Delio. Wired, Holiday Bug May Be Catching. 2000.11.15