Navidad Virus
   HOME

TheInfoList



Click Here for Items Related To - Navidad Virus
OR:
Navidad Virus on:   [Wikipedia]   [Google]   [Amazon]

W32.Navidad is a mass-mailing worm program or
virus A virus is a submicroscopic infectious agent that replicates only inside the living Cell (biology), cells of an organism. Viruses infect all life forms, from animals and plants to microorganisms, including bacteria and archaea. Viruses are ...
, discovered in December 2000 that ran on
Windows 95 Windows 95 is a consumer-oriented operating system developed by Microsoft and the first of its Windows 9x family of operating systems, released to manufacturing on July 14, 1995, and generally to retail on August 24, 1995. Windows 95 merged ...
,
Windows 98 Windows 98 is a consumer-oriented operating system developed by Microsoft as part of its Windows 9x family of Microsoft Windows operating systems. It was the second operating system in the 9x line, as the successor to Windows 95. It was Software ...
,
Windows NT Windows NT is a Proprietary software, proprietary Graphical user interface, graphical operating system produced by Microsoft as part of its Windows product line, the first version of which, Windows NT 3.1, was released on July 27, 1993. Original ...
, and
Windows 2000 Windows 2000 is a major release of the Windows NT operating system developed by Microsoft, targeting the server and business markets. It is the direct successor to Windows NT 4.0, and was Software release life cycle#Release to manufacturing (RT ...
systems. It was designed to spread through
email clients An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email. A web application which provides message management, composition, and reception functio ...
such as
Microsoft Outlook Microsoft Outlook is a personal information manager software system from Microsoft, available as a part of the Microsoft 365 software suites. Primarily popular as an email client for businesses, Outlook also includes functions such as Calendari ...
while masquerading as an executable electronic
Christmas card A Christmas card is a greeting card sent as part of the traditional celebration of Christmas in order to convey between people a range of sentiments related to Christmastide and the holiday season. Christmas cards are usually exchanged during ...
. Depending on the variant, infected computers can be identified by blue eye icons or
ICQ ICQ was a cross-platform instant messaging (IM) and VoIP client founded in June 1996 by Yair Goldfinger, Sefi Vigiser, Amnon Amir, Arik Vardi, and Arik's father, Yossi Vardi. The name ICQ derives from the English phrase "I Seek You". Originally ...
logos which appear in the
Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...
system tray The taskbar is a graphical user interface element that has been part of Microsoft Windows since Windows 95, displaying and facilitating switching between running computer program, programs. The taskbar and the associated Start menu, Start Menu were ...
.


Description

When the navidad.exe email attachment is run the files installs itself as "winsvrc.vxd" in the \Windows\System directory. The worm modifies the default .exe file startup key in the
Windows Registry The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, a ...
, KEY_CLASSES_ROOT\exefile\shell\open\command to allow the program to run any time any .exe file is run. The worm also creates a startup key to ensure that it runs on startup. A bug in the Navidad virus installs the Registry Keys for "winsvrc.exe" even though the worm itself is installed with a .vxd file extension. As a result the worm prevents .exe files from running and does not run on startup and the error "Windows cannot find winsvrc.exe" will be displayed instead. During installation a fake
error message An error message is the information displayed when an unforeseen problem occurs, usually on a computer or other device. Modern operating systems with graphical user interfaces, often display error messages using dialog boxes. Error messages are us ...
is displayed. After the user closes the message a blue eye icon or the
ICQ ICQ was a cross-platform instant messaging (IM) and VoIP client founded in June 1996 by Yair Goldfinger, Sefi Vigiser, Amnon Amir, Arik Vardi, and Arik's father, Yossi Vardi. The name ICQ derives from the English phrase "I Seek You". Originally ...
logo appears on the system tray. Users who click on the eye icon will be presented with a dialog box that displays the text "Nunca presionar este boton" () as a button. When clicked a variety of different messages, including ones which state "Emmanuel-God is with us!May god bless u.And Ash, Lk, and LJ!!" and "Lamentablemente cayo en la tentacion y perdio su computadora" () can be displayed depending on the version of the virus the user is infected with. When the worm is activated it uses the MAPI32.DLL library to connect to
Microsoft Outlook Microsoft Outlook is a personal information manager software system from Microsoft, available as a part of the Microsoft 365 software suites. Primarily popular as an email client for businesses, Outlook also includes functions such as Calendari ...
or
Exchange Exchange or exchanged may refer to: Arts, entertainment and media Film and television * Exchange (film), or ''Deep Trap'', 2015 South Korean psychological thriller * Exchanged (film), 2019 Peruvian fantasy comedy * Exchange (TV program), 2021 Sou ...
to send itself to the email addresses belonging to the senders of any unread emails in the victim's inbox. This will send the worm to every address the victim receives an email from until it is removed from the system.


Navidad.b Variant

Because the original Navidad virus would fail to run, an alternate variant of the virus became more popular. In some cases, Navidad.b would spread as "emanuel.exe" and install itself as "wintask.exe" in the Windows System directory to make it appear like a native Windows executable. The Navidad.b version of the virus fixed the issue that prevented .exe files from running, instead allowing .exe files to run as well as running the worm at the same time as initially intended. This also allowed the virus to spread more effectively.


Impact

The worm itself did not destroy data or seriously damage any infected computers, damage was limited to preventing exe files from running in the original version of the worm. This virus also did not spread as fast as other similar email worms such as
Melissa Melissa is a feminine given name. The name comes from the Greek language, Greek word μέλισσα (''mélissa''), "bee", which in turn comes from μέλι (''meli''), "honey". In Hittite language, Hittite, ''melit'' signifies "honey". Meliss ...
or
ILOVEYOU ILOVEYOU, sometimes referred to as the Love Bug or Loveletter, was a computer worm that infected over ten million Windows personal computers on 4 May 2000 and after 5 May 2000. It started spreading as an email message with the subject line "ILO ...
and caused limited disruptions in email services. Antivirus researcher at
McAfee McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American proprietary software company focused on online ...
, Vincent Gullotto, reported that at least 10 Fortune 500 companies had been infected by the worm, although he declined to specify which companies were impacted by the worm.


References

{{reflist Email worms Hacking in the 2000s