F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Navidad.b





NAME:Navidad
ALIAS:I-Worm.Navidad, W32/Watchit.intd, I-Worm_Navidad, W32/Navidad
SIZE:32768

Navidad is an Internet worm. It spreads itself as NAVIDAD.EXE attachment to e-mail messages sent from an infected computer. The icon of the worm's executable file looks like that:

The original worm sample that we received has a bug that makes an infected system inoperable after infection - no EXE files could be started.

Being run the NAVIDAD.EXE file installs itself as WINSVRC.VXD into \Windows\System directory and modifies several Registry keys. It changes the default EXE file startup key 

 [HKEY_CLASSES_ROOT\exefile\shell\open\command]

to make sure it starts with every EXE file. The worm also makes sure it is always run on each Windows startup by creating another startup key in 

 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run].

The worm also creates 'Navidad' key in the following section: 

 [HKEY_CURRENT_USER\Software]

But there's a bug in the worm's code - the Registry keys are created for WINSVRC.EXE file while the worm installs itself as WINSVRC.VXD file. As a result no EXE files can be started in a system after infection. Also the worm doesn't get activated on next Windows startup. To fix the mess done by this worm, download and run the special REG file. It will restore the default EXE file startup key value and remove worm's autostart key too.

ftp://ftp.europe.F-Secure.com/anti-virus/tools/naviddis.reg

During installation the worm displays a fake error message:

After a user presses 'OK', an 'eye' icon appears in Windows taskbar:

This is the major sign that indicates Navidad worm infection in a system. When a user clicks on that icon the following dialog box with 'Nunca presionar este boton' text is displayed:

and when the only button in the above dialog box is clicked, another messagebox with 'Lamentablemente cayo en la tentacion y perdio si computadora' text appears:

When the worm is activated it connects to MAPI-compatible e-mail browser using MAPI32.DLL library, enumerates all unread e-mails, gets e-mail addresses from them and sends itself out to these addresses.

This worm variant is rather easy to delete from an infected system. You first need to download and run the special REG file:

ftp://ftp.europe.F-Secure.com/anti-virus/tools/naviddis.reg

Then open Task Manager and kill all 'NAVIDAD' and 'WINSVRC' tasks there. Then the worm's files NAVIDAD.EXE and WINSVRC.VXD can be deleted manually or by FSAV without any problem.

NAME:Navidad.b
ALIAS:I-Worm.Navidad.b, I-Worm_Navidad.b
SIZE:16896

This variant of Navidad worm is a patched version of the original Navidad. But unlike the original Navidad worm, it spreads itself as EMANUEL.EXE and installs itself as WINTASK.EXE to Windows System directory. It also modifies EXE file startup key (now correctly) to be run when any EXE program is launched by a user.

When run, Navidad.b displays a messagebox:

Then it installs itself to memory and shows an ICQ-like (green flower with yellow middle) icon in System tray:

When a cursor is placed on that icon, a message is displayed - "Come on lets party!!!". When a user clicks the icon, Navidad.b displays its original dialog with a button:

If a user clicks [X] to close the dialog, the worm displays the following messagebox and exits:

Otherwise, if a user clicks 'Nunca presionar este boton' button, the worm displays the following messagebox:

Navidad can be successfully disinfected with a fresh version of FSAV and the latest updates for it.

http://www.europe.f-secure.com/download-purchase/ http://www.europe.f-secure.com/download-purchase/updates.shtml

Note that Navidad file(s) might be locked while Windows is active and older versions of FSAV for Windows might not be able to remove it. In this case you can exit to DOS and remove the Navidad file(s) manually. First, download and run the special REG file that fixes the Registry patched by the worm:

ftp://ftp.europe.F-Secure.com/anti-virus/tools/naviddis.reg

Then restart your system and delete EMANUEL.EXE (if copied to a hard drive) and \WINDOWS\SYSTEM\WINTASK.EXE to remove the disabled Navidad.b component. In case you are using FSAV, please apply the REG file, restart your system and run FSAV to get rid of disabled worm components.

You can also use a free version of F-Prot for DOS to remove Navidad from an infected system. It is a requirement to perform disinfection from pure DOS and to run the above listed REG file before exiting Windows.

ftp://ftp.europe.F-Secure.com/anti-virus/free/ ftp://ftp.europe.F-Secure.com/anti-virus/updates/f-prot/dos/

For successful disinfection all files detected as Navidad should be deleted from an infected system.

[Analysis: Alexey Podrezov, F-Secure Corp.; Nov 2000 - Jan 2001]