IT@TT - Online

Navidad Revisited

In this December just past, I received many emails from readers asking for information on busting the evil Navidad (Christmas in Spanish) virus. I decided that my year-end hiatus would have to wait. And so I bring you a informative guide on removing Navidad and its multiple variants.

Navidad is a new Net worm that arrives concealed in an e-mail attachment. The source email is disguised as a Christmas greeting. Clicking NAVIDAD.EXE enables the virus to save itself to the WINDOWS\SYSTEM\WINSVRC.VXD. Infected PCs display a blue eye icon in the system tray next to the clock. For every email you receive, the worm sends a copy of itself to the sender. The virus also prevents any .EXE files that are not running when the virus is launched. This ensures that a Windows MAPI transport like Outlook can be accessed but PowerPoint is locked out.

Place the mouse pointer over the eye and a message "Lo estamos mirando..." (We are watching it) appears. Click the icon and a button pops up with "Nunca presionar este botón" (Never press this button). Press the button for a message box entitled "Feliz Navidad Lamentablemente cayó en la tentación y perdió su computadora" (Merry Christmas, Unfortunately you've given in to temptation and lost you computer).

The virus appears buggy and can be terminated. Click the blue eye and close the resulting dialog box by clicking on the small x in its upper right hand corner. The dialogue box will display a large blue button labeled 'don't press me'. Click again for another message box and then click 'OK' to terminate the program. To permanently remove the virus, use the MS-DOS prompt. Next change to the Windows folder and copy REGEDIT.EXE as REGEDIT.COM. Now run this modified file from the Start menu and browse the registry path to remove the infected file.

The real danger of Navidad@m is because it responds to all incoming email, it can overload enterprise-based mail servers causing a company-wide mail outage. At the personal level, it can cause Windows to freeze and also stop applications from running. The virus was first found in South America. So far Latin America, the United Kingdom and parts of the United States have been infected.

And before I leave, here's a new fable of our times for you. The Fable virus is trying to become a legend in its time. PIF (Program Information File) is a standard Windows file used to store information about start-up properties for DOS-applications. PIFs contain application details including name, size, location, creation and modification date, default screen size, memory usage, and idle sensitivity. You then don't need to make multiple adjustments every time you use a DOS-based application in Windows.

Fable is a PIF-based worm that arrives within an e-mail message having a random subject that includes "Fable", "Something You Should Read" or "Very Important That You Receive This". The message body contains just one phrase randomly chosen from "A nice little fable" or "Wanted to make sure you received this."

The message has (an infected) FABLE.PIF file attached. Once launched, the worm creates supplementary files that ensure its constant presence in the system. These also distribute it using IRC channels and e-mail. Fable creates a VBS file that gains access to Outlook and sends out copies of the virus to the contents of the Outlook address book.

Trojan (3k.exe) attempts to download Teen.exe.

Govind Menon
[email protected]

Top

Other Articles