Navidad virus

Last updated

W32.Navidad is a mass-mailing worm program or virus, discovered in December 2000 that ran on Windows 95, Windows 98, Windows NT, and Windows 2000 systems. [1] It was designed to spread through email clients such as Microsoft Outlook [2] while masquerading as an executable electronic Christmas card. [3] Infected computers can be identified by blue eye icons which appear in the Windows system tray. [3]

Contents

Description

When the navidad.exe email attachment is run the files installs itself as "WINSVRC.VXD" in the \Windows\System directory. The worm modifies the default EXE file startup key in the Windows Registry, [HKEY_CLASSES_ROOT\exefile\shell\open\command], to allow the program to run any time any exe file is run. The worm also creates a startup key to ensure that it runs on startup. A bug in the Navidad virus installs the Registry Keys for "WINSVRC.EXE" even though the worm itself is installed with a .VXD file extension, as a result the worm prevents .exe files from running and does not run on startup. [4] The error "Windows cannot find winsvrc.exe" will be displayed instead. [5]

During installation a fake error message is displayed. After the user closes the message a blue eye icon appears on the system tray. Users who click on the eye icon will be presented with a dialog box that displays the text "Nunca presionar este boton" as a button. When clicked a variety of different messages, including one which states: "Emmanuel-God is with us!May god bless u.And Ash, Lk, and LJ!!" [3] and "Lamentablemente cayo en la tentacion y perdio si computadora" can be displayed depending on the version of the virus the user is infected with.

When the worm is activated it uses the MAPI32.DLL library to connect to Microsoft Outlook or Exchange to send itself to the email addresses belonging to the senders of any unread emails in the victim's inbox. [4] This will send the worm to every address the victim receives an email from until it is removed from the system. [6]

Because the original Navidad virus would fail to run an, alternate variant of the virus became more popular. In some cases, Navidad.b would spread as "emanuel.exe" and install itself as "wintask.exe" in the Windows System directory to make it appear like a native Windows executable. [7] The Navidad.b version of the virus fixed the issue that prevented exe files from running, instead allowing exe files to run as well as running the worm at the same time as initially intended. This also allowed the virus to spread more effectively.

Impact

The worm itself did not destroy data or seriously damage any infected computers, damage was limited to preventing exe files from running in the original version of the worm. This virus also did not spread as fast as other similar email worms such as Melissa or ILOVEYOU and caused limited disruptions in email services. [8]

Antivirus researcher at McAfee, Vincent Gullotto, reported that at least 10 Fortune 500 companies had been infected by the worm, although he declined to specify which companies were impacted by the worm. [9]

Related Research Articles

<span class="mw-page-title-main">Computer worm</span> Self-replicating malware program

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on exploiting the advantages of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

In computing terminology, a macro virus is a virus that is written in a macro language: a programming language which is embedded inside a software application. Some applications, such as Microsoft Office, Excel, PowerPoint allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spread. This is one reason it can be dangerous to open unexpected attachments in e-mails. Many antivirus programs can detect macro viruses; however, the macro virus' behavior can still be difficult to detect.

Klez is a computer worm that propagates via e-mail. It first appeared in October 2001 and was originated in China. A number of variants of the worm exist.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Blaster (computer worm)</span> 2003 Windows computer worm

Blaster was a computer worm that spread on computers running operating systems Windows XP and Windows 2000 during August 2003.

Bagle was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

Sasser is a computer worm that affects computers running vulnerable versions of the Microsoft operating systems Windows XP and Windows 2000. Sasser spreads by exploiting the system through a vulnerable port. Thus it is particularly virulent in that it can spread without user intervention, but it is also easily stopped by a properly configured firewall or by downloading system updates from Windows Update. The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin, for which a patch had been released seventeen days earlier. The most characteristic experience of the worm is the shutdown timer that appears due to the worm crashing LSASS.

Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log.

ILOVEYOU, sometimes referred to as the Love Bug or Loveletter, was a computer worm that infected over ten million Windows personal computers on and after May 5, 2000. It started spreading as an email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.TXT.vbs." At the time, Windows computers often hid the latter file extension by default because it is an extension for a file type that Windows knows, leading unwitting users to think it was a normal text file. Opening the attachment activates the Visual Basic script. First, the worm inflicts damage on the local machine, overwriting random files, then, it copies itself to all addresses in the Windows Address Book used by Microsoft Outlook, allowing it to spread much faster than any other previous email worm.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

The Sober worm is a family of computer worms that was discovered on October 24, 2003. Like many worms, Sober sends itself as an e-mail attachment, fake webpages, fake pop-up ads, and fake advertisements.

Brontok is a computer worm running on Microsoft Windows. It is able to disperse by e-mail. Variants include:

RavMonE, also known as RJump, is a Trojan that opens a backdoor on computers running Microsoft Windows. Once a computer is infected, the virus allows unauthorized users to gain access to the computer's contents. This poses a security risk for the infected machine's user, as the attacker can steal personal information, and use the computer as an access point into an internal network.

<span class="mw-page-title-main">Storm Worm</span> Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

The Pikachu virus, also referred to as Pokey or the Pokémon virus, was a computer worm believed to be the first malware geared at children, due to its incorporation of Pikachu, a creature from the Pokémon media franchise. It was considered similar to the Love Bug, albeit slower in its spread and less dangerous.

The Fun.Exe virus is of the w32.Assarm family of computer viruses. According to Symantec it registers itself as a Windows system process then periodically sends mail with spreading attachments as a response to any unopened emails in Outlook Express. This virus first appeared in early 2008 and is now recognized by most anti virus programs.

Swen is a mass mailing computer worm written in C++. It sends an email which contains the installer for the virus, disguised as a Microsoft Windows update, although it also works on P2P filesharing networks, IRC and newsgroups' websites. It was first analyzed on September 18, 2003, however, it might have infected computers before then. It disables firewalls and antivirus programs.

The BuluBebek virus is a computer worm that was first discovered on October 10, 2008. The virus is not exceptionally widespread, but rather has only infected small groups of computers. Related to the Kenshin, Doraemon, and Naturo viruses, the virus has infected computers in various parts of the world. It is written in a high level programming language, known as Visual Basic. The virus is only 53 KB in size and creates two files on the computers it infects, an EXE file and an INF file.

<span class="mw-page-title-main">Gruel (computer worm)</span> 2003 computer worm

Gruel, also referred to by F-Secure as Fakerr, was a worm first surfacing in 2003 targeting Microsoft Windows platforms such as Windows 9x, Windows ME, Windows 2000 and Windows XP. It spread via email and file sharing networks.

References

  1. Cullison, David (2000-11-20). "Merry Christmas - The NAVIDAD Virus". giac.org: 1.
  2. "W32.Navidad". Symantec. Archived from the original on November 10, 2006. Retrieved 27 February 2018.
  3. 1 2 3 "A short history of Christmas malware". Naked Security. 15 December 2010. Retrieved 27 February 2018.
  4. 1 2 "Worm:W32/Navidad Description | F-Secure Labs". www.f-secure.com. Retrieved 2022-04-05.
  5. "What is the Navidad email worm, and how do I get rid of it?". kb.iu.edu. Retrieved 2022-04-05.
  6. Doctors, Data. "Navidad (Christmas) virus/worm (Question 2585)| Data Doctors Free Help". Data Doctors Computer Services. Retrieved 2022-04-05.
  7. "Retooled Navidad virus on the loose". CNET. Retrieved 2022-04-06.
  8. "CNN.com - Technology - 'Navidad' computer virus poses moderate risk - November 10, 2000". us.cnn.com. Retrieved 2022-04-06.
  9. "A Not-So-Feliz 'Navidad'". www.cbsnews.com. Retrieved 2022-04-06.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.