This newsletter is a free opt-in service of ComputerProblems.com
If you have a problem or question, visit http://www.computerproblems.com
ANY REPLIES TO THIS MESSAGE WILL GO INTO EMAIL LIMBO!!!
If you would like to be added or removed from this list, go to:
A: The W32/Navidad (Spanish for Christmas) virus/worm is on
the spread and it is using
Microsoft's Outlook e-mail program to do so.
The worm will likely come from an email address that you will
recognize and trust the
sender. Attached is a file named NAVIDAD.EXE and when it is
run, it displays a dialog
box entitled, "Error" which reads "UI". A blue eye icon then
appears in the system tray
next to the clock in the lower right corner of the screen,
and a copy of the worm is
saved to the file "winsvrc.vxd" in the WINDOWS SYSTEM
If your PC becomes infected with the W32/Navidad worm and you
are using Microsoft's
Outlook e-mail program, every message from then on will be
responded to automatically
with an email from your address with the W32/Navidad worm as
an attachment. This
means you will unknowingly send it to everyone that you
recieve a message from until
you erradicate the worm from your system.
The major anti-virus companies have posted updates on their
various websites to
combat this, so be sure to update your anti-virus definition
If you find that you have been infected by this worm, you can
download a zipped file
from McAfee to repair your registry by Clicking Here!
(Requires an unzip utility)
If you have a moderate technical background, here is THE
When executed, the worm displays a dialog box with the
and the title:
Then, the worm adds the following registry key:
This key was supposed to be used to see if the computer was
However, due to bugs in the code, the registry key is not
Next, the virus adds the following registry key:
with the value:
The worm copies itself into your Windows system directory as
WINSVRC.VXD. Due to
the difference in file name, the virus does not execute
properly at startup.
After the file has been copied, the worm modifies an
additional registry key. The worm
WindowsSystemwinsvrc.exe "%1" %*"
Due to the mistake in the file name, the system is unusable.
Whenever an .exe file is
executed, the operating system prompts the user for the
location of the file
WINSVRC.EXE. The net result of this is that no program files
can be launched. This may
cause system instability and the system may have difficulty
Next, the worm begins the email routine. The worm utilizes
MAPI to send mail and works
with Microsoft Outlook. The worm checks for all messages in
your Inbox and replies to
those messages that have one attachment. The reply consists
of the same subject line
and body, but contains the worm attached as NAVIDAD.EXE.
Finally, the worm places a blue eye icon in the system tray
of the taskbar. When the
mouse pointer is over the icon, the worm displays a yellow
dialog box that states:
Lo estamos mirando...
(In English: We are watching it...)
When you click the icon, a dialog box with a button appears.
The button contains the
Nunca presionar este boton
(In English: Never press this button)
If the user presses the button, an error box with the title
(In English: Merry Christmas)
displays the message
Lamentablemente cayo en la tentacion y perdio su computadora
(In English: Unfortunately you've fallen to temptation and
have lost your computer).
If you close the dialog box by clicking the X instead of
clicking the button, the following
(In English: Good selection).
and exits. Despite the warning of losing the computer, no
further changes are made to
Removal: (DO NOT ATTEMPT UNLESS YOU HAVE A GOOD WORKING
OF THE WINDOWS REGISTRY!!!)
To remove W32.Navidad:
On the Windows taskbar, click Start > Programs > MS-DOS
Prompt. The command
prompt will display the current directory, which should be
the Windows directory. In
most cases that will be displayed as:
Type ren REGEDIT.EXE REGEDIT.COM.
Modify the following Registry value: