Windows XP/2000/NT/ME/98/95

Navidad.B is an astute worm that is difficult to detect because it reaches computers in a reply to a previously sent e-mail (which is infected). This message includes a file called EMANUEL.EXE, which infects the computer when it is run.

Navidad.B is dangerous as it prevents many programs from being run. In other words, files with an EXE extension. It also displays warnings when the computer is started up and goes memory resident as a task.

It spreads very quickly by sending itself as a reply to all the e-mail messages in the Inbox of the mail program.

The first symptom of Navidad.B is an e-mail message with the following characteristics:

• A reply to a message that the user has sent to another user (which is infected).
• The subject is the same as the original message that was sent. The only difference is that it includes the reply tag (RE:).
• The message is the same as that in the original e-mail message sent to the infected user.
• The message includes an attachment called EMANUEL.EXE.

When the EMANUEL.EXE file is run, Navidad.B activates and displays a long list of icons and messages. These appear depending on how the infected user replies to each one.

For more information on the windows displayed when Navidad.B activates, click here.