Note: To protect the privacy of our members, e-mail addresses have been removed from the archived messages. As a result, some links may be broken.

Find Lesson Plans on getty.edu! GettyGames

New (Legit) Virus Warning

---------

From: Maggie White (mwhiteaz_at_TeacherArtExchange)
Date: Sat Nov 11 2000 - 05:59:07 PST


Hi, all,

Here's another alert regarding a Christmas worm.

Maggie
===========================================================================
This newsletter is a free opt-in service of ComputerProblems.com
(formerly Support4free.com)
If you have a problem or question, visit http://www.computerproblems.com
ANY REPLIES TO THIS MESSAGE WILL GO INTO EMAIL LIMBO!!!
If you would like to be added or removed from this list, go to:
http://www.computerproblems.com/quikreg.cfm

Q: Navidad (Christmas) virus/worm alert! (11/10/00)

A: The W32/Navidad (Spanish for Christmas) virus/worm is on
the spread and it is using
Microsoft's Outlook e-mail program to do so.

The worm will likely come from an email address that you will
recognize and trust the
sender. Attached is a file named NAVIDAD.EXE and when it is
run, it displays a dialog
box entitled, "Error" which reads "UI". A blue eye icon then
appears in the system tray
next to the clock in the lower right corner of the screen,
and a copy of the worm is
saved to the file "winsvrc.vxd" in the WINDOWS SYSTEM
directory.

If your PC becomes infected with the W32/Navidad worm and you
are using Microsoft's
Outlook e-mail program, every message from then on will be
responded to automatically
with an email from your address with the W32/Navidad worm as
an attachment. This
means you will unknowingly send it to everyone that you
recieve a message from until
you erradicate the worm from your system.

The major anti-virus companies have posted updates on their
various websites to
combat this, so be sure to update your anti-virus definition
file ASAP!

If you find that you have been infected by this worm, you can
download a zipped file
from McAfee to repair your registry by Clicking Here!
(Requires an unzip utility)

If you have a moderate technical background, here is THE
TECHNICAL STUFF!

When executed, the worm displays a dialog box with the
cryptic letters:

UI
and the title:

Error
Then, the worm adds the following registry key:

HKEY_USERS.DEFAULTSoftwareNavidad
This key was supposed to be used to see if the computer was
already infected.
However, due to bugs in the code, the registry key is not
utilized.

Next, the virus adds the following registry key:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
with the value:

Win32BaseServiceMOD=WindowsSystemWinsvrc.exe
The worm copies itself into your Windows system directory as
WINSVRC.VXD. Due to
the difference in file name, the virus does not execute
properly at startup.

After the file has been copied, the worm modifies an
additional registry key. The worm
changes:

HKEY_LOCAL_MACHINESOFTWARECLASSESexefileshellopencommand
to equal:

WindowsSystemwinsvrc.exe "%1" %*"
Due to the mistake in the file name, the system is unusable.
Whenever an .exe file is
executed, the operating system prompts the user for the
location of the file
WINSVRC.EXE. The net result of this is that no program files
can be launched. This may
cause system instability and the system may have difficulty
rebooting.

Next, the worm begins the email routine. The worm utilizes
MAPI to send mail and works
with Microsoft Outlook. The worm checks for all messages in
your Inbox and replies to
those messages that have one attachment. The reply consists
of the same subject line
and body, but contains the worm attached as NAVIDAD.EXE.

Finally, the worm places a blue eye icon in the system tray
of the taskbar. When the
mouse pointer is over the icon, the worm displays a yellow
dialog box that states:

Lo estamos mirando...
(In English: We are watching it...)
When you click the icon, a dialog box with a button appears.
The button contains the
following text:

Nunca presionar este boton
(In English: Never press this button)
If the user presses the button, an error box with the title

Feliz Navidad
(In English: Merry Christmas)
displays the message

Lamentablemente cayo en la tentacion y perdio su computadora
(In English: Unfortunately you've fallen to temptation and
have lost your computer).
If you close the dialog box by clicking the X instead of
clicking the button, the following
message appears:

buena eleccion
(In English: Good selection).
and exits. Despite the warning of losing the computer, no
further changes are made to
the system.

Removal: (DO NOT ATTEMPT UNLESS YOU HAVE A GOOD WORKING
KNOWLEDGE
OF THE WINDOWS REGISTRY!!!)

To remove W32.Navidad:

On the Windows taskbar, click Start > Programs > MS-DOS
Prompt. The command
prompt will display the current directory, which should be
the Windows directory. In
most cases that will be displayed as:
C:WINDOWS>

Type ren REGEDIT.EXE REGEDIT.COM.
Press Enter.
Type REGEDIT.
Press Enter.
Modify the following Registry value:

HKEY_LOCAL_MACHINESOFTWAREClassesexefileshellopencommand

and change

"C:WINDOWSSYSTEMwinsvrc.vxd "%1" %*

to

"%1" %*

For clarity, these seven characters are the following: double
quote, percent sign, the
numeral one, double quote, space, percent sign, and asterisk.
Don't forget the space.

Delete the registry key:
HKEY_USERS.DEFAULTSoftwareNavidad

Restart your computer.
Using Windows Explorer, delete the
WINDOWSSYSTEMwinsvrc.vxd file.
Answered by: Ken Colburn