For Home

Virus Profile: W32/Navidad@M

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 11/3/2000
Date Added: 11/3/2000
Origin: South America
Length: 32,768
Type: Virus
Subtype: Internet Worm
DAT Required: 4110
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

- Presence of the EYE icon in the lower right corner of your screen
- When the cursor is placed over the EYE icon, the text, "Lo estamos mirando..." is displayed. Translated this means, we are watching it.
- When the "eye" icon is clicked, a button appears reading, "Nunca presionar este boton". Translated this means, never press this button.
- When the button is pressed, a messages box is displayed entitled, "Feliz Navidad", which reads "Lamentablemente cayo en la tentacion y perdio su computadora". Translated this reads, Merry Christmas, Unfortunately you've given in to temptation and lose your computer.

Methods of Infection

W32/Navidad@M is spreading on its own despite a bug in the program. This worm will arrive as an email attachment with the name Navidad.exe. Running the attachment infects your machine.

This worm can be terminated on a system - when Navidad is running, click on the eye in the system tray. When the dialog box with the big button labeled don't press me (sic) appears, press the little close window button in the top right corner (marked X)

Another message box pops up , pressing OK on this message box makes the worm exit - the eye disappears and the program terminates.

Aliases

TROJ_NAVIDAD.B, TROJ_NAVIDAD.C, TROJ_NAVIDAD.D, TROJ_NAVIDAD.E, Emanuel, Emmanuel, I-Worm.Navidad, Navidad, TROJ_EMMANUEL, TROJ_NAVIDAD.A, W32.Navidad, W32.Navidad.16896, W32/Navidad-B, W32/Navidad.e@M, W32/Navidad.f@M, W32/Navidad.gen@M, Win32/Navidad.Worm
   

Virus Characteristics

Update April 11, 2002:
A minor variant of W32/Navidad.e@M was recently announced. The file has an inactive remnant of the W32/Magistr@MM virus. Users using the 4110 DAT or higher will detect this as W32/Navidad.e@M.

Update January 16, 2001:
4110 is the absolute minimum DAT users can reliably detect W32/Navidad and known variants. McAfee AVERT recommends users use the latest available DAT files for full coverage.

The 4107 DAT update contains instructions for engine v4.1.10 to remove the registry entry created by this Internet worm. VirusScan may identify this threat as a Trojan due to the methods used by the Engine and DATS to terminate the running task.

If you are unable to run .EXE files as a result of a Navidad infection, follow the removal instructions on this page or download this UNDO.REG file and open it.

This is an Internet worm which uses MAPI Outlook to spread. It will be received by email as a response to a sent email message to an infected user, with the attachment NAVIDAD.EXE.

When run, this worm displays a dialog box entitled, "Error" which reads "UI". A blue eye icon appears in the system tray next to the clock in the lower right corner of the screen, and a copy of the trojan is saved to the file winsvrc.vxd in the WINDOWS SYSTEM directory. The following registry key values are created:

HKCU\SOFTWARE\Navidad

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Win32BaseServiceMOD=C:\WINDOWS\SYSTEM\winsvrc.exe

HKCR\exefile\shell\open\command\
(default)=C:\WINDOWS\SYSTEM\winsvrc.exe "%1" %*

HKLM\Software\CLASSES\exefile\shell\open\command\
(default)=C:\WINDOWS\SYSTEM\winsvrc.exe "%1" %*

In the last 2 entries above, the previous value was

"%1" %*

As these registry values use the incorrect file extension, an error message is displayed when attempting to launch any .EXE file.

This problem can be recovered by opening an MS-DOS prompt and going into the Windows directory and then copying REGEDIT.EXE as REGEDIT.COM. You can then run REGEDIT from the START menu and browse to the registry path to remove the invalid entry mentioned above.

This worm can be terminated on a system - when Navidad is running, click on the eye in the system tray. When the dialog box with the big button labeled don't press me (sic) appears, press the little close window button in the top right corner (marked X)

Another message box pops up , pressing OK on this message box makes the worm exit - the eye disappears and the program terminates.

Variants

Variants information
Virus Name Type Subtype Differences
Emanuel Virus Internet Worm Detected with the 4109 DAT

- Attachment name: Emanuel.exe
- The filename Wintask.exe is used instead of winsvrc.exe
- Fixed filename bug, which results in the worm launching additional instances of itself whenever an attempt is made to launch a .EXE file
- Displays flower, task tray icon
- Displays Error message containing the text, ;)
- Displays message box entitled, Emmaneul....., which reads,
Emmanuel-God is with us!May god bless u.And Ash, Lk and LJ!!

(see Virus Characteristics section for images)
   

Removal of the registry entry can be accomplished when using the 4.1.10 engine or higher. Although the 4.0.70 engine can remove this worm, the registry data will not be corrected.

One trick that AVERT has discovered is to rename the registry editing program from their original .EXE to a .COM extension (as in REGEDIT.COM). Be sure to rename .EXE files back to their original filenames/extensions once removal is complete. This will by pass the limitations created by removing the worm prior to editing the registry. This will allow you to remove references of trojans and Internet worms.

--- Manual Removal Instructions ---

There are 2 options for manual removal:

A1) Identify and note the files associated with this worm as detected by the scanner.

A2) Download this UNDO.REG file, and open it.

A3) Click START|RUN, type REGEDIT and hit ENTER.

A4) Remove any keys that run the main worm under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

A5) Exit the Registry

A6) Restart the system

A7) Delete the file(s) associated with this worm

--- Alternate Manual Removal Instructions ---

B1) Identify and note the files associated with this worm as detected by the scanner.

B2) Click START|RUN, type
COMMAND /C COPY %WINDIR%\REGEDIT.EXE %WINDIR%\REGEDIT.COM
and hit ENTER

B3) Click START|RUN, type REGEDIT.COM and hit ENTER

B4) Remove references to the trojan from these keys of the registry HKEY_CLASSES_ROOT\exefile\shell\open\command\ HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command

They should contain only the value not including brackets [''%1'' %*].

B5) Remove any keys that run the main worm under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

B6) Exit the Registry

B7) Restart the system

B8) Delete the worm program(s). If all is well the files should be deleted OK. If you get an error message saying that windows is unable to delete the file because it is in use, then you have made an error in the above procedure and should repeat the process.