worm is spread through email, and will come as an attachment
from people you know, or addresses that you've mailed to recently.
The attachment will be titled NAVIDAD.EXE. If you click on it,
an error box will pop up that simply says "UI", and a small
blue eye will appear in the system tray on your taskbar. Anyone
sending you an email will automatically receive a return email
with the worm attached.
If you click on the
blue eye in the system tray, a button appears that says "Never
press this button", in Spanish: (Nunca presionar este boton).
When the button is
pressed, another message appears (also in Spanish): "Lamentablemente
cayo en la tentacion y perdio su computadora" (Unfortunately
you've given in to temptation and lose your computer). This
message box is titled, 'Feliz Navidad' (Merry Christmas).
Whether you press
these buttons or not, your computer is already infected.
From here, W32/Navidad@M
works somewhat like the 'Backdoor-G2' trojan that's been
going around. It saves itself to a file on your hard drive called
WINSVRC.VXD and makes changes to your Registry, resulting in
an error message everytime you try to run a '.EXE' program file.
is running, it can actually be closed by clicking on the blue
eye in the system tray. When the dialogue box appears with the
button that says "Nunca presionar este boton", click
on the 'close program' button (X) in the upper right corner
of the box. Another message box will appear. Click OK in this
box, and the program will close. The eye will no longer be in
the system tray.
Do not clean or
delete any of the infected files yet!
First off, it's important
to realize that older versions of anti-virus software won't
necessarily find this worm.
Some may find it,
and clean or delete the infected files, but won't repair the
Registry. Look for information on your anti-virus program's
Removing it manually
does present some problems. First off, the registry changes
that are made by W2/Navidad@M will prevent you from running
any '.EXE' programs. If you try to start a program with a '.EXE'
extension you'll get an error box that says 'File Not Found'.
Unfortunately, to repair the registry, you need to use REGEDIT.EXE.
One way around this
is to rename REGEDIT.EXE to REGEDIT.COM. Files with a '.COM'
extension are also executable program files!
(In WindowsNT, you would change REGEDIT32.EXE to REGEDIT32.COM)
Start a DOS session
by clicking on START/PROGRAMS/DOS PROMPT, or reboot to the DOS
prompt. At the DOS prompt, make sure you're in the Windows directory,
REN REGEDIT.EXE REGEDIT.COM
Close out of the
Now, from Windows,
you can click on START/RUN and type REGEDIT. The Registry Editor
will open. If you're not familiar with making changes to the
Registry, get someone who is!
The trojan has created another key called 'Navidad'. Delete
the key 'Navidad'.
When you click on the 'Run' key, delete the entry that says
'Win32BaseServiceMOD = C:\WINDOWS\SYSTEM\winsvrc.exe'. Look
at the other 'Run' keys in this area and delete any references
Next, look under
You'll see the entry:
= C:\WINDOWS\SYSTEM\winsvrc.exe "%1"%*
Change this to read: (Default) = "%1"%*
Do the same for the
identical entry under HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command.
Close out of the
Registry Editor. Do a search for WINSVRC.* and NAVIDAD.* and
delete any files associated with the trojan.