/dqweek/media/agency_attachments/JNb31gQnqJvAm0jqPxaV.png)
Follow UsDWQ News Bureau
Viruses are on the prowl. First it was Happy99, followed by Melissa, CIH, Loveletter and more recently, the MTX.Worm.
Thanks to these viruses, a new and probably a more powerful variant has begun its parole. Called W32.Navidad.com, this deadly virus is rapidly spreading and may be entering your mailbox while you're reading this.
W32.Navidad.Worm is an Internet worm and spreads as NAVIDAD.EXE attachment to e-mail messages send from an infected computer. When the attachment is clicked the worm displays an error message with the text 'UI' and installs itself to run whenever any EXE is executed. It then enumerates all unread e-mails, gets e-mail addresses from them and sends itself out to these addresses. Due to a bug in the worm's code no EXE files can be started in the system after infection - rendering the system unusable.
The W32.Navidad.worm has a bug that makes an infected system unusable after infection as you will not be able to start any EXE files. When executed the NAVIDAD.EXE file copied itself as WINSVRC.VXD into \Windows\ System directory and modifies several registry keys. It changes the default EXE files startup key to make sure it starts with every EXE files
The worm also creates 'Navidad' key in the following section:
But there's a bug in the worm's code - the Registry keys are created for WINSVRC.EXE file while the worm installs itself as WINSVRC.VXD file. As a result no EXE files can be started in the system after infection. Also the worm doesn't get activated on next Windows startup.
The worm during installation displays the an error message with the test "UI". When the OK button is clicked the worm then displays an icon of the EYE in the windows task bar and when ever this icon is clicked a message box appears with the test "Nunca pressionar este
boton'.
If the user clicks the button, the worm displays a dialog box with the title "Feliz Navidad" and the text "Lamentablemente cayo en la tentaction y perdio su computadora". Where the title means Merry Christmas.
Once the worm is activated it enumerates all unread e-mails and sends itself as attachment to those Email addressees.
Chennai-based K7 Computing announced that the company has traced this new virus and has also posted a cure for the W32.Navidad.Worm in its product Vx2000 Plus. To download the cure, you can visit
www.K7Computing.com.