|
PureBytes Links
Trading Reference Links
|
<SPAN
class=810531602-20112000>Jim
<SPAN
class=810531602-20112000>
Here
is the Norton write up and fix:
<SPAN
class=810531602-20112000>
<IMG border=0 height=1
src="http://a1828.g.akamai.net/7/1828/76/0001/www.symantec.com/avcenter/images/clear.gif";
width=10>
<IMG border=0 height=1
src="http://a1828.g.akamai.net/7/1828/76/0001/www.symantec.com/avcenter/images/clear.gif";
width=10>
<A
href="http://www.symantec.com/avcenter/threat.severity.html#category";><IMG
align=right alt="Level 4" border=0 height=34 hspace=3
src="http://www.symantec.com/avcenter/graphics/VirusLevel04small4.gif";
width=34>
W32.Navidad
Discovered on: November 3,
2000
Last Updated on: November 11,
2000 0 9:38:15 PM PST
W32.Navidad is a mass mailing worm program. The worm replies
using MAPI to all Inbox messages that contain a single attachment.
This works with Microsoft Outlook. The worm utilizes the existing
email subject line and body and attaches itself as NAVIDAD.EXE. Due
to the bugs in the code, after being executed, the worm causes your
system to be unusable.
Click <A
href="http://www.symantec.com/avcenter/venc/data/w32.navidad.fix.html";>here
to download a tool to repair W32.Navidad damage
<A
href="http://www.symantec.com/avcenter/refa.html#worm";>Category:
Worm
<A
href="http://www.symantec.com/avcenter/refa.html#defs";>Virus
definitions: November 6, 2000
<A
href="http://www.symantec.com/avcenter/refa.html#assessment";>Threat
assessment:
<TABLE
background=http://www.symantec.com/avcenter/graphics/graph2.gif
border=0 cellPadding=0 cellSpacing=0>
<IMG height=90
src="http://www.symantec.com/avcenter/graphics/red.gif";
width=15>
<IMG height=90
src="http://www.symantec.com/avcenter/graphics/red.gif";
width=15>
<IMG height=60
src="http://www.symantec.com/avcenter/graphics/red.gif";
width=15>
<A
href="http://www.symantec.com/avcenter/refa.html#Wild";>Wild:
High
<A
href="http://www.symantec.com/avcenter/refa.html#Damage";>Damage:
High
<A
href="http://www.symantec.com/avcenter/refa.html#Distribution";>Distribution:
Medium <IMG
src="http://www.symantec.com/avcenter/graphics/black.gif"; width=380>
<A
href="http://www.symantec.com/avcenter/refa.html#Wild";>Wild
<A
href="http://www.symantec.com/avcenter/refa.html#infect";>Number of
infections: More than 1000
<A
href="http://www.symantec.com/avcenter/refa.html#sites";>Number of
sites: More than 10
<A
href="http://www.symantec.com/avcenter/refa.html#geo_distribution";>Geographical
distribution: High
<A
href="http://www.symantec.com/avcenter/refa.html#containment";>Threat
containment: Moderate
<A
href="http://www.symantec.com/avcenter/refa.html#removal";>Removal:
Difficult
<A
href="http://www.symantec.com/avcenter/refa.html#Damage";>Damage
<A
href="http://www.symantec.com/avcenter/refa.html#payload";>Payload:
<A
href="http://www.symantec.com/avcenter/refa.html#unstable";>Causes
system instability: Improperly changes registry keys
<A
href="http://www.symantec.com/avcenter/refa.html#Distribution";>Distribution
<A
href="http://www.symantec.com/avcenter/refa.html#subject";>Subject
of email: Uses existing subject lines
Name
of attachment: NAVIDAD.EXE
Size
of attachment: 32,768 bytes
<A
href="http://www.symantec.com/avcenter/refa.html#tech";>Technical
description:
NOTE: If you are running Windows 95 or Windows 98, it is
assumed that Windows is located in C:\WINDOWS. If you are running
Windows NT or Windows 2000, it is assumed that Windows is located in
C:\WINNT. If Windows is installed in a different directory, make the
appropriate substitutions.
When executed, the worm displays a dialog box with the cryptic
letters:
UI
and the title:
Error
Then, if you are running Windows 95 or Windows 98, the worm adds
the following registry key:
HKEY_USERS\.DEFAULT\Software\Navidad
If you are running Windows NT or Windows 2000, the worm adds the
following registry key:
HKEY_CURRENT_USER\Software\Navidad
This key was supposed to be used to see if the computer was
already infected. However, due to bugs in the code, the registry key
is not utilized.
Next, if you are running Windows 95 or Windows 98, the virus adds
the following registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
with the value:
Win32BaseServiceMOD=\Windows\System\Winsvrc.exe
If you are running Windows NT or Windows 2000, the virus adds the
following registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
with the value:
Win32BaseServiceMOD=\Winnt\System32\Winsvrc.exe
The worm copies itself into your Windows system directory as
WINSVRC.VXD. Due to the difference in file name, the virus does not
execute properly at startup.
After the file has been copied, the worm modifies an additional
registry key. If you are running Windows 95 or Windows 98, the worm
changes:
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command
to equal:
\Windows\System\winsvrc.exe "%1" %*"
If you are running Windows NT or Windows 2000, the worm changes:
HKEY_CLASSES_ROOT\exefile\shell\open\command
to equal:
\Winnt\System32\winsvrc.exe "%1" %*"
Due to the mistake in the file name, the system is unusable.
Whenever an .exe file is executed, the operating system prompts the
user for the location of the file WINSVRC.EXE. The net result of
this is that no program files can be launched. This may cause system
instability and the system may have difficulty rebooting.
Next, the worm begins the email routine. The worm utilizes MAPI
to send mail and works with Microsoft Outlook. The worm checks for
all messages in your Inbox and replies to those messages that have
one attachment. The reply consists of the same subject line and
body, but contains the worm attached as NAVIDAD.EXE.
Finally, the worm places a blue eye icon in the system tray of
the taskbar. When the mouse pointer is over the icon, the worm
displays a yellow dialog box that states:
Lo estamos mirando...(In English: We are watching it...)
When you click the icon, a dialog box with a button appears. The
button contains the following text:
Nunca presionar este boton (In English: Never press this
button)
If the user presses the button, an error box with the title
Feliz Navidad (In English: Merry Christmas)
displays the message
Lamentablemente cayo en la tentacion y perdio su computadora
(In English: Unfortunately you've fallen to temptation and
have lost your computer).
If you close the dialog box by clicking the X instead of clicking
the button, the following message appears:
buena eleccion (In English: Good selection).
and exits. Despite the warning of losing the computer, no further
changes are made to the system.
<A
href="http://www.symantec.com/avcenter/refa.html#removal";>Removal:
To remove W32.Navidad (on a Windows 95/98 system):
On the Windows taskbar, click Start >
Programs > MS-DOS Prompt. The command prompt will
display the current directory, which should be the Windows
directory. In most cases that will be displayed as:
C:\WINDOWS>
Type ren REGEDIT.EXE REGEDIT.COM.
Press Enter.
Type REGEDIT.
Press Enter.
Modify the following Registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
and change
"C:\WINDOWS\SYSTEM\winsvrc.vxd "%1" %*
to
"%1" %*
For clarity, these seven characters are the following: double
quote, percent sign, the numeral one, double quote, space, percent
sign, and asterisk. Don't forget the space.
Delete the registry key:
HKEY_USERS\.DEFAULT\Software\Navidad
Restart your computer.
Using Windows Explorer, delete the \WINDOWS\SYSTEM\winsvrc.vxd
file.
To remove W32.Navidad (on a Windows NT / Windows 2000
system):
On your Windows Desktop, double-click on your My
Computer icon.
Press CTRL-F. A Find: All Files window should
pop up. This will allow you to search for a specific file.
In the Named: field, type REGEDIT.EXE.
After it finds this file successfully, right-click on the
filename REGEDIT.EXE. This will pop up a menu. Select
Rename.
Type: REGEDIT.COM. This should rename the file to
REGEDIT.COM.
Double-click on this program REGEDIT.COM.
Modify the following Registry value:
HKEY_CLASSES_ROOT\exefile\shell\open\command
and change
"C:\WINNT\SYSTEM32\winsvrc.vxd "%1" %*
to
"%1" %*
For clarity, these seven characters are the following: double
quote, percent sign, the numeral one, double quote, space, percent
sign, and asterisk. Don't forget the space.
Delete the registry key:
HKEY_CURRENT_USER\Software\Navidad
Restart your computer.
Using Windows Explorer, delete the \WINNT\SYSTEM32\winsvrc.vxd
file.
<IMG src="http://www.symantec.com/avcenter/graphics/black.gif";
width=380>
Write-up by: Eric Chien
Tell a Friend about this Write-Up
<IMG border=0 height=1
src="http://a1828.g.akamai.net/7/1828/76/0001/www.symantec.com/avcenter/images/clear.gif";
width=25>
<IMG border=0 height=5
src="http://a1828.g.akamai.net/7/1828/76/0001/www.symantec.com/avcenter/images/clear.gif";
width=1>
<IMG alt=Sections border=0 height=18
src="http://a1828.g.akamai.net/7/1828/76/0001/www.symantec.com/avcenter/images/title-sections.gif";
width=98>
<IMG border=0 height=1
src="http://a1828.g.akamai.net/7/1828/76/0001/www.symantec.com/avcenter/images/clear.gif";
width=5>
<IMG border=0 height=1
src="http://a1828.g.akamai.net/7/1828/76/0001/www.symantec.com/avcenter/images/clear.gif";
width=190>
<IMG border=0 height=5
src="http://a1828.g.akamai.net/7/1828/76/0001/www.symantec.com/avcenter/images/clear.gif";
width=1>
<A class=sidebartitlelink
href="http://www.symantec.com/avcenter/";>Symantec AntiVirus Research
Center
<FONT face=geneva,arial,helvetica,sans-serif
size=1>Main Information Page
<IMG border=0 height=5
src="http://a1828.g.akamai.net/7/1828/76/0001/www.symantec.com/avcenter/images/clear.gif";
width=1>
<A class=sidebartitlelink
href="http://www.symantec.com/avcenter/download.html";>Download
Updates
<FONT face=geneva,arial,helvetica,sans-serif
size=1>Download the Latest Virus Definitions
<IMG border=0 height=5
src="http://a1828.g.akamai.net/7/1828/76/0001/www.symantec.com/avcenter/images/clear.gif";
width=1>
<A class=sidebartitlelink
href="http://www.symantec.com/avcenter/vinfodb.html";>Virus
Encyclopedia
<FONT face=geneva,arial,helvetica,sans-serif
size=1>Search for Information on Viruses, Worms and Trojan
Horses
<IMG border=0 height=5
src="http://a1828.g.akamai.net/7/1828/76/0001/www.symantec.com/avcenter/images/clear.gif";
width=1>
<A class=sidebartitlelink
href="http://www.symantec.com/avcenter/hoax.html";>Virus
Hoaxes
<FONT face=geneva,arial,helvetica,sans-serif
size=1>Information on Virus Hoaxes
<IMG border=0 height=5
src="http://a1828.g.akamai.net/7/1828/76/0001/www.symantec.com/avcenter/images/clear.gif";
width=1>
<A class=sidebartitlelink
href="http://www.symantec.com/avcenter/sarcnewsletters.html";>Newsletter
<FONT face=geneva,arial,helvetica,sans-serif
size=1>Email Sent from the Symantec AntiVirus Research
Center
<IMG border=0 height=5
src="http://a1828.g.akamai.net/7/1828/76/0001/www.symantec.com/avcenter/images/clear.gif";
width=1>
<A class=sidebartitlelink
href="http://www.symantec.com/avcenter/refa.html";>Reference
Area
<FONT face=geneva,arial,helvetica,sans-serif
size=1>Learn About Virus Detection Technologies
<IMG border=0 height=5
src="http://a1828.g.akamai.net/7/1828/76/0001/www.symantec.com/avcenter/images/clear.gif";
width=1>
<A class=sidebartitlelink
href="http://www.symantec.com/avcenter/submit.html";>Submit Virus
Samples
<FONT face=geneva,arial,helvetica,sans-serif
size=1>Send Suspected Threats for Review
<IMG border=0 height=5
src="http://a1828.g.akamai.net/7/1828/76/0001/www.symantec.com/avcenter/images/clear.gif";
width=1>
<FONT face=Tahoma
size=2>-----Original Message-----From:
owner-metastock@xxxxxxxxxxxxx [mailto:owner-metastock@xxxxxxxxxxxxx]On
Behalf Of JimSent: Sunday, November 19, 2000 6:59
PMTo: metastock@xxxxxxxxxxxxxSubject: Re: VIRUS
ALERTthe virus seemed to stop me from
getting into any applications...when I boot..... windows tells me winsvrc.exe
cannot be found...I could not find it when I did a search...any help would be
appreciated....sAt 06:08 PM 11/19/00 +0100, you wrote:
<BLOCKQUOTE cite
type="cite">Jim, You are
infected by virus NAVIDAD.EXEJim a écrit
:<FONT face="Courier New, Courier"
size=4>Opinions and feedback
appreciated....<FONT face="Eras Demi ITC"
size=3>Jim...<FONT color=#000080 face="Eras Light ITC"
size=3>Atlanta, GA
|
![http://a1828.g.akamai.net/7/1828/76/0001/www.symantec.com/avcenter/images/clear.gif"](http://a1828.g.akamai.net/7/1828/76/0001/www.symantec.com/avcenter/images/clear.gif"){kind=link}
![http://www.symantec.com/avcenter/graphics/VirusLevel04small4.gif"](http://www.symantec.com/avcenter/graphics/VirusLevel04small4.gif"){kind=link}
![http://www.symantec.com/avcenter/graphics/red.gif"](http://www.symantec.com/avcenter/graphics/red.gif"){kind=link}
![http://www.symantec.com/avcenter/graphics/black.gif"](http://www.symantec.com/avcenter/graphics/black.gif"){kind=link}
![http://a1828.g.akamai.net/7/1828/76/0001/www.symantec.com/avcenter/images/title-sections.gif"](http://a1828.g.akamai.net/7/1828/76/0001/www.symantec.com/avcenter/images/title-sections.gif"){kind=link}