Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Navidad.A
Threat Level Damage Distribution

Infection strategy 

Navidad creates a file called WINSVRC.VXD in the Windows System directory. This file displays an eye icon in the Windows Taskbar.

Navidad creat es the following entry in the Windows Registry:

• HKCR\ Exefile\ Shell\ Open\ Command C:\ Windows\ System\ Winsvrc.exe "%1" %*
  This prevents files with an EXE extension from being run.

Navidad modifies the following entry in the Windows Registry: 

• HKLM\ Software\ Microsoft\ Windows\ CurrentVersion\ Run Win32BaseServiceMOD C:\ Windows\ System\ Winsvrc.Exe

  By doing this, Navidad tries (unsuccessfully) to ensure that it is activated when the affected computer is started up, as the WINSVRC.EXE file should be run.

  The WINSVRC.EXE file is not the file that Navidad has previously created (the file it creates is WINSVRC.VXD). Therefore, when the computer is started up, an error message appears indicating that the file that must be run cannot be found.

Means of transmission 

The means of transmission used by Navidad is very astute. In order to get the user’s trust, it reaches computers as a reply to a message they have sent to a user that has been infected.

Users naturally think that they have received a reply to a message that they have sent, whereas the reply actually contains a file called NAVIDAD.EXE, which will infect the computer when it is run.

As Navidad is sent in a reply to a message, the message characteristics vary (depending on the original message). However, the attached file is always NAVIDAD.EXE. For more information on this message, consult the section Visible symptoms.

How does Navidad reply to the users that have sent a message to the infected user? By replying to all the messages in the Inbox (both read and unread).

The replies sent by Navidad and the way in which it is sent are not dependent on the mail program installed.