W32.Navidad is a mass-mailing
worm program or
virus, discovered in December 2000 that ran on
Windows 95,
Windows 98,
Windows NT, and
Windows 2000 systems. It was designed to spread through
email clients such as
Microsoft Outlook
Microsoft Outlook is a personal information manager software system from Microsoft, available as a part of the Microsoft Office and Microsoft 365 software suites. Though primarily an email client, Outlook also includes such functions as Calen ...
while masquerading as an executable electronic
Christmas card.
Infected computers can be identified by blue eye icons which appear in the
Windows system tray
A taskbar is an element of a graphical user interface which has various purposes. It typically shows which programs are currently running.
The specific design and layout of the taskbar varies between individual operating systems, but generally a ...
.
Description
When the navidad.exe email attachment is run the files installs itself as "WINSVRC.VXD" in the \Windows\System directory. The worm modifies the default EXE file startup key in the
Windows Registry,
KEY_CLASSES_ROOT\exefile\shell\open\command to allow the program to run any time any exe file is run. The worm also creates a startup key to ensure that it runs on startup. A bug in the Navidad virus installs the
Registry Keys
The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and u ...
for "WINSVRC.EXE" even though the worm itself is installed with a
.VXD file extension, as a result the worm prevents .exe files from running and does not run on startup.
The error "Windows cannot find winsvrc.exe" will be displayed instead.
During installation a fake
error message is displayed. After the user closes the message the identifiable blue eye icon appears on the system tray. Users who click on the eye icon will be presented with a dialog box that displays the text "Nunca presionar este boton" as a button. When clicked a variety of different messages, including one which states: "Emmanuel-God is with us!May god bless u.And Ash, Lk, and LJ!!"
and "Lamentablemente cayo en la tentacion y perdio si computadora" can be displayed depending on the version of the virus.
When the worm is activated it uses the MAPI32.DLL library to connect to a Microsoft Outlook or Exchange email to send itself to the email addresses of any unread emails in the user inbox.
This will send the worm to every address that sends the user an email until it is removed from the system.
Navidad.b Variant
Because the original Navidad virus would fail to run a
patched variant of the virus became more popular, due to being able to spread via email more effectively than the original virus. In some cases, Navidad.b would spread an "emanuel.exe" and install itself as "wintask.exe" in the Windows System directory to make it appear like a native Windows file. The patched version of the virus fixed the issue that prevented exe files from running, instead allowing exe files to run as well as running the worm at the same time as initially intended.
Impact
The worm itself did not destroy data or seriously damage any infected computers, damage was limited to preventing exe files from running in the bugged version of the worm. This virus also did not spread as fast as other similar email worms such as
Melissa or
ILOVEYOU and caused limited disruptions in email services. No known outages are attributed to the Navidad virus.
Antivirus researcher at
McAfee, Vincent Gullotto, reported that at least 10 Fortune 500 companies had been infected by the worm, although he declined to specify which companies were impacted by the worm.
References
{{reflist
Email worms
Hacking in the 2000s