Navidad virus

Last updated January 04, 2025

W32.Navidad is a mass-mailing worm program or virus, discovered in December 2000 that ran on Windows 95, Windows 98, Windows NT, and Windows 2000 systems.^[1] It was designed to spread through email clients such as Microsoft Outlook ^[2] while masquerading as an executable electronic Christmas card.^[3] Depending on the variant, infected computers can be identified by blue eye icons or ICQ logos which appear in the Windows system tray.^[3]

Description

When the navidad.exe email attachment is run the files installs itself as "winsvrc.vxd" in the \Windows\System directory. The worm modifies the default .exe file startup key in the Windows Registry, [HKEY_CLASSES_ROOT\exefile\shell\open\command], to allow the program to run any time any .exe file is run. The worm also creates a startup key to ensure that it runs on startup. A bug in the Navidad virus installs the Registry Keys for "winsvrc.exe" even though the worm itself is installed with a .vxd file extension. As a result the worm prevents .exe files from running and does not run on startup^[4] and the error "Windows cannot find winsvrc.exe" will be displayed instead.^[5]

During installation a fake error message is displayed. After the user closes the message a blue eye icon or the ICQ logo appears on the system tray. Users who click on the eye icon will be presented with a dialog box that displays the text "Nunca presionar este boton" (transl. "Never press this button") as a button. When clicked a variety of different messages, including ones which state "Emmanuel-God is with us!May god bless u.And Ash, Lk, and LJ!!"^[3] and "Lamentablemente cayo en la tentacion y perdio su computadora" (transl. "Unfortunately you fell into temptation and lost your computer") can be displayed depending on the version of the virus the user is infected with.

When the worm is activated it uses the MAPI32.DLL library to connect to Microsoft Outlook or Exchange to send itself to the email addresses belonging to the senders of any unread emails in the victim's inbox.^[4] This will send the worm to every address the victim receives an email from until it is removed from the system.^[6]

Navidad.b Variant

Because the original Navidad virus would fail to run, an alternate variant of the virus became more popular. In some cases, Navidad.b would spread as "emanuel.exe" and install itself as "wintask.exe" in the Windows System directory to make it appear like a native Windows executable.^[7] The Navidad.b version of the virus fixed the issue that prevented .exe files from running, instead allowing .exe files to run as well as running the worm at the same time as initially intended. This also allowed the virus to spread more effectively.

Impact

The worm itself did not destroy data or seriously damage any infected computers, damage was limited to preventing exe files from running in the original version of the worm. This virus also did not spread as fast as other similar email worms such as Melissa or ILOVEYOU and caused limited disruptions in email services.^[8]

Antivirus researcher at McAfee, Vincent Gullotto, reported that at least 10 Fortune 500 companies had been infected by the worm, although he declined to specify which companies were impacted by the worm.^[9]

Related Research Articles

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on exploiting the advantages of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

Klez is a computer worm that propagates via e-mail. It first appeared in October 2001 and was originated in China. A number of variants of the worm exist.

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Blaster was a computer worm that spread on computers running operating systems Windows XP and Windows 2000 during August 2003.

Bagle was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

Sasser is a computer worm that affects computers running vulnerable versions of the Microsoft operating systems Windows XP and Windows 2000. Sasser spreads by exploiting the system through a vulnerable port. Thus it is particularly virulent in that it can spread without user intervention, but it is also easily stopped by a properly configured firewall or by downloading system updates from Windows Update. The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin (CVE-2003-0533), for which a patch had been released seventeen days earlier. The most characteristic experience of the worm is the shutdown timer that appears due to the worm crashing LSASS.

<span class="mw-page-title-main">ILOVEYOU</span> Computer worm

ILOVEYOU, sometimes referred to as the Love Bug or Loveletter, was a computer worm that infected over ten million Windows personal computers on and after 5 May 2000. It started spreading as an email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.TXT.vbs". At the time, Windows computers often hid the latter file extension by default because it is an extension for a file type that Windows knows, leading unwitting users to think it was a normal text file. Opening the attachment activates the Visual Basic script. First, the worm inflicts damage on the local machine, overwriting random files, then, it copies itself to all addresses in the Windows Address Book used by Microsoft Outlook, allowing it to spread much faster than any other previous email worm.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

The Sober worm is a family of computer worms that was discovered on October 24, 2003. Like many worms, Sober sends itself as an e-mail attachment, fake webpages, fake pop-up ads, and fake advertisements.

Brontok is a computer worm running on Microsoft Windows. It is able to disperse by e-mail. Variants include:

RavMonE, also known as RJump, is a Trojan that opens a backdoor on computers running Microsoft Windows. Once a computer is infected, the virus allows unauthorized users to gain access to the computer's contents. This poses a security risk for the infected machine's user, as the attacker can steal personal information, and use the computer as an access point into an internal network.

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

KAK is a 1999 JavaScript worm that uses a bug in Outlook Express (CVE-1999-0668)to spread itself.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites such as Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

The Fun.Exe virus is of the w32.Assarm family of computer viruses. According to Symantec it registers itself as a Windows system process then periodically sends mail with spreading attachments as a response to any unopened emails in Outlook Express. This virus first appeared in early 2008 and is now recognized by most anti virus programs.

Swen is a mass mailing computer worm written in C++. It sends an email which contains the installer for the virus, disguised as a Microsoft Windows update, although it also works on P2P filesharing networks, IRC and newsgroups' websites. It was first analyzed on September 18, 2003, however, it might have infected computers before then. It disables firewalls and antivirus programs.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

Gruel, also referred to by F-Secure as Fakerr, was a worm first surfacing in 2003 targeting Microsoft Windows platforms such as Windows 9x, Windows ME, Windows 2000 and Windows XP. It spread via email and file sharing networks.

Dorkbot is a family of malware worms that spreads through instant messaging, USB drives, websites or social media channels like Facebook. Code Shikara is a computer worm, related to the Dorkbot family, that attacks through social engineering. Particularly prevalent in 2015, Dorkbot-infected systems were variously used to send spam, participate in DDoS attacks, or harvest users' credentials.

References

↑ Cullison, David (2000-11-20). "Merry Christmas - The NAVIDAD Virus". giac.org: 1.
↑ "W32.Navidad". Symantec. Archived from the original on November 10, 2006. Retrieved 27 February 2018.
1 2 3 "A short history of Christmas malware". Graham Cluey. 15 December 2010. Retrieved 3 January 2025.
1 2 "Worm:W32/Navidad Description | F-Secure Labs". www.f-secure.com. Retrieved 2022-04-05.
↑ "What is the Navidad email worm, and how do I get rid of it?". Indiana University Knowledge Base. Archived from the original on 2024-01-24. Retrieved 2025-01-03.
↑ Doctors, Data. "Navidad (Christmas) virus/worm (Question 2585)| Data Doctors Free Help". Data Doctors Computer Services. Retrieved 2022-04-05.
↑ "Retooled Navidad virus on the loose". CNET. Archived from the original on 2022-08-13. Retrieved 2025-01-03.
↑ "'Navidad' computer virus poses moderate risk". CNN. Archived from the original on 2004-02-06. Retrieved 2025-01-03.
↑ "A Not-So-Feliz 'Navidad'". www.cbsnews.com. Retrieved 2022-04-06.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Cullison, David (2000-11-20). "Merry Christmas - The NAVIDAD Virus". giac.org: 1.

[Symantec-2] "W32.Navidad". Symantec. Archived from the original on November 10, 2006. Retrieved 27 February 2018.

[GH-3] 1 2 3 "A short history of Christmas malware". Graham Cluey. 15 December 2010. Retrieved 3 January 2025.

[:0-4] 1 2 "Worm:W32/Navidad Description | F-Secure Labs". www.f-secure.com. Retrieved 2022-04-05.

[5] "What is the Navidad email worm, and how do I get rid of it?". Indiana University Knowledge Base. Archived from the original on 2024-01-24. Retrieved 2025-01-03.

[6] Doctors, Data. "Navidad (Christmas) virus/worm (Question 2585)| Data Doctors Free Help". Data Doctors Computer Services. Retrieved 2022-04-05.

[7] "Retooled Navidad virus on the loose". CNET. Archived from the original on 2022-08-13. Retrieved 2025-01-03.

[8] "'Navidad' computer virus poses moderate risk". CNN. Archived from the original on 2004-02-06. Retrieved 2025-01-03.

[9] "A Not-So-Feliz 'Navidad'". www.cbsnews.com. Retrieved 2022-04-06.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]