Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
Navidad.A | |
Threat Level Damage Distribution |
At a glance
 |
| Common name: | Navidad.A |
| Technical name: | W32/Navidad |
| Threat level: | Medium |
| Alias: | Navidad,, W32/Navidad.A-m, I-Worm.Navidad, Troj_Navidad.A |
| Type: | Worm |
| Effects: | When activated it prevents files with an EXE extension from being run and displays warnings and an error message when the infected computer is started up. |
| Affected platforms:
| Windows XP/2000/NT/ME/98/95 |
| Detection updated on: | Oct. 29, 2007 |
| Statistics | No |
Proactive protection: | Yes, using TruPrevent Technologies
|
| Repair utility: | Panda QuickRemover |
| Country of origin: | AFGHANISTAN |
| Family: | NAVIDAD |
Brief Description | |
| Navidad is an astute worm that is difficult to detect because it reaches computers in a reply to a previously sent e-mail message (which is infected). This message includes a file called NAVIDAD.EXE, which infects the computer when it is run. Navidad is dangerous as it prevents many programs from being run. In other words, files with an EXE extension. It also displays warnings and an error message when the computer is started up. It spreads very quickly by sending itself as a reply to all the e-mail messages in the Inbox of the mail program. |
Visible Symptoms | |
| The first symptom of Navidad is an e-mail message with the following characteristics: For more information on the windows displayed when Navidad activates, click here. |
Tech details
Effects |
Navidad activates when the file attached to the message is run. Then, it carries out the following actions: |
Infection strategy
Navidad creates a file called WINSVRC.VXD in the Windows System directory. This file displays an eye icon in the Windows Taskbar.
Navidad creat es the following entry in the Windows Registry:
Navidad modifies the following entry in the Windows Registry:
- HKLM\ Software\ Microsoft\ Windows\ CurrentVersion\ Run Win32BaseServiceMOD C:\ Windows\ System\ Winsvrc.Exe
By doing this, Navidad tries (unsuccessfully) to ensure that it is activated when the affected computer is started up, as the WINSVRC.EXE file should be run.
The WINSVRC.EXE file is not the file that Navidad has previously created (the file it creates is WINSVRC.VXD). Therefore, when the computer is started up, an error message appears indicating that the file that must be run cannot be found.
Means of transmission
The means of transmission used by Navidad is very astute. In order to get the user’s trust, it reaches computers as a reply to a message they have sent to a user that has been infected.
Users naturally think that they have received a reply to a message that they have sent, whereas the reply actually contains a file called NAVIDAD.EXE, which will infect the computer when it is run.
As Navidad is sent in a reply to a message, the message characteristics vary (depending on the original message). However, the attached file is always NAVIDAD.EXE. For more information on this message, consult the section Visible symptoms.
How does Navidad reply to the users that have sent a message to the infected user? By replying to all the messages in the Inbox (both read and unread).
The replies sent by Navidad and the way in which it is sent are not dependent on the mail program installed.
