Navidad Worm

Is an internet worm spreading by means of the e-mail attachment with named Navidad.exe. After the attachment is executed the worm installs itself into the system and provides its activation.

The “Error” dialog window with with “UI” text inside appears upon each execution of the worm. The worm author seems to make a mistake regarding the registers: although the worm body is located in the winsvrc.vxd file, the registry keys use the winsvrc.exe name. The worm activity manifests itself by the presence of a small icon with a blue window and, what is even worse, inability to execute any program with the .EXE extension. The worm body contains some Spanish texts that are displayed in certain windows after the icon was “played with” .

The texts displayed read:

Te estamos mirando..
Lo estamos mirando... buena eleccion...
Lamentablemente cayo en la tentacion y perdio su computadora
Feliz Navidad

As with other recently appearing infiltrations, NOD32 provides timely and reliable protection against the infiltration. For those users, who did not use NOD32 to protect their machines and data, Eset team has developed a cleaning procedure that can be used and downloaded at: www.nod32.com.

Cleaning Procedure

Computer infected by the Navidad worm is essentially unusable, until cleaned. The following procedure was developed by Eset’s development labs (www.nod32.com) to help those users, whose systems were not protected by NOD32 Antivirus System and got infected.

To clean an infected computer, you will need a clean floppy disk, connection to Internet (from a computer that was not infected) and a careful application of the following procedures:

A/ Procedure on a clean computer providing connection to Internet

  1. Log on to Internet
  2. Start the Internet browser
  3. Enter the following address: www.nod32.com, to log on to Eset website
  4. Go to the section Virus News and click at the header of the CLEANING NAVIDAD news item.
  5. Click at the following file: winsvrc.exe to start its download onto a diskette
  6. Insert a clean floppy disk into the disk drive and SAVE the downloading file on a clean diskette
  7. Remove the floppy disk from the computer. Take the diskette with the file and continue with the:

B/ Procedure on the infected computer

  1. Turn on the infected computer and wait till the message: ”Windows cannot find winsvrc.exe” appears (Note! In certain cases (Windows ME) this window may not appear; If this is the case, click at ”My Computer” icon and copy the winsvrc.exe file from the diskette into the Windows system directory. Usual path to the system directory is: c:\windows\system (on Windows 98, ME) or, c:\winnt\system32 (on Windows NT, 2000); after copying has been completed, run whatever application, delete winsvrc.exe from the system directory and go to step B/6 below)
  2. Insert the floppy into the floppy disk drive
  3. Enter a:\ into the input field
  4. Press Enter key
  5. The program on a diskette will clean your computer and will confirm the successful completion of the process, turn off your computer
  6. Turn off your computer, Remove the floppy disk and turn on your computer

NOTE:

To protect your computer against constant virus threats, you need the best possible protection. NOD32 Antivirus System did not miss a single ”In the Wild” virus for the last three years. After receiving 12 consecutive Virus Bulletin 100% Awards, it detected 100% of all computer infiltrations in all the test sets used and, at the same time, had the highest scanning rates of the executable files. To download NOD32 free trial version, or to become Eset’s registered user, please, visit our site at: www.nod32.com.