By Rob Corder
E-mail-borne virus could be the most prolific to date. The Navidad virus sends itself to every person in your e-mail address book, and each e-mail has a different subject line.
A new virus, Navidad.A, is running wild throughout the Middle East. Its ability to spread prolifically by sending itself many times to an individuals e-mail address book under different e-mail subject lines means it could become the most wide-spread virus ever experienced in the region.
Fortunately, a bug in the e-mail worm-type virus means its destructive payload does not successfully launch. It’s distribution mechanism, however, is very much intact and the number of times it sends itself around could give mail servers serious performance difficulties.
Computer Associates’ Anti-Virus resource centre gives the following full description of the virus:
Navidad.A (Also known as Win32.Navidad.A) arrives in an e-mail message, the subject of which is variable. The worm replies to messages so the subject will usually match one that the recipient has previously sent. The body of the message is empty except for an attachment called: Navidad.exe.
When run, the worm immediately displays a dialog box with the title "Error", the text "UI" and an "OK" button.
When the "OK" button is pressed, the worm immediately starts to send itself. It does this by going through all of the messages in the Inbox of the default MAPI mail client and replying to each one. The replies have exactly the same subject as the original message ("Re:" is NOT added), and in place of the message body, the worm is attached. These messages are sent using the default MAPI mail client, so they may appear in the Outbox of Outlook or Outlook Express before being sent, depending on the user's settings.
The worm displays an icon (in the form of a blue eye) on the system tray of the Windows task bar. If the mouse cursor is placed over the icon, the ToolTip message will display "Lo estamos mirando..." (which means, "We are watching it") .
If the icon is clicked, a window containing a single button will be displayed. The text on the button is "Nunca presionar este boton" (which means, "Never push this button").
When the button is clicked, another window with the title "Feliz Navidad" (which means, "Merry Christmas") will appear. This window contains the text "Lamentablemente cayo en la tentacion y perdio su computadora" (which means, "Unfortunately he/she did not resist the temptation and lost his/her computer") and an "OK" button.
The worm also attempts to install itself onto the system, and this is where the bug lies. The worm makes a copy of itself, as "Winsvrc.vxd", in the Windows System directory. It then creates two registry keys which point to a different filename, "Winsvrc.exe":
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion RunWin32BaseServiceMOD = "C:WINDOWSSYSTEMWinsvrc.exe"
HKEY_CLASSES_ROOTexefileshellopencommand(Default) = "C:WINDOWSSYSTEMWinsvrc.exe "%1" %"
As the "Winsvrc.exe" file does not exist, the first registry change will have no effect. The second change, however, will effectively stop all .EXE files from being executed. Whenever the user tries to execute a program, a message will be displayed informing the user that Windows cannot find winsvrc.exe, and the program will not run.
The Navidad virus has already been well researched by all major anti-virus organisations and all have new virus definitions and fixes on their Web sites.