Welcome to the Virus Encyclopedia of Panda Security.
Navidad activates when the file attached to the message is run. Then, it carries out the following actions:
Navidad creates a file called WINSVRC.VXD in the Windows System directory. This file displays an eye icon in the Windows Taskbar.
Navidad creat es the following entry in the Windows Registry:
Navidad modifies the following entry in the Windows Registry:
- HKLM\ Software\ Microsoft\ Windows\ CurrentVersion\ Run Win32BaseServiceMOD C:\ Windows\ System\ Winsvrc.Exe
By doing this, Navidad tries (unsuccessfully) to ensure that it is activated when the affected computer is started up, as the WINSVRC.EXE file should be run.
The WINSVRC.EXE file is not the file that Navidad has previously created (the file it creates is WINSVRC.VXD). Therefore, when the computer is started up, an error message appears indicating that the file that must be run cannot be found.
Means of transmission
The means of transmission used by Navidad is very astute. In order to get the user’s trust, it reaches computers as a reply to a message they have sent to a user that has been infected.
Users naturally think that they have received a reply to a message that they have sent, whereas the reply actually contains a file called NAVIDAD.EXE, which will infect the computer when it is run.
As Navidad is sent in a reply to a message, the message characteristics vary (depending on the original message). However, the attached file is always NAVIDAD.EXE. For more information on this message, consult the section Visible symptoms.
How does Navidad reply to the users that have sent a message to the infected user? By replying to all the messages in the Inbox (both read and unread).
The replies sent by Navidad and the way in which it is sent are not dependent on the mail program installed.