e-mail virus : navidad.exe from M selcukkaraca on 2000-11-16 (tru64-unix-managers)

From: M selcukkaraca <mskaraca_at_yahoo.com>
Date: Wed, 15 Nov 2000 11:04:45 -0800

Hi to all,

I have wounded witha virus today, if you have received it please REMOVE
IT...

solution is this ...

if sometning bad has occured bacause of me please FORGIVE ME ....

Virus Name: W32/Navidad_at_M

Virus Characteristics:

Update November 10, 2000: AVERT has raised the risk assessment from LOW to
MEDIUM ON WATCH today based on the number of samples received for this
Internet worm.

This is an Internet worm which uses MAPI Outlook to spread. It will be
received by email as a response to a sent email message to an infected user,
with the attachment NAVIDAD.EXE.

When run, this worm displays a dialog box entitled, "Error" which reads
"UI". A blue eye icon appears in the system tray next to the clock in the
lower right corner of the screen, and a copy of the trojan is saved to the
file "winsvrc.vxd" in the WINDOWS SYSTEM directory.

The following registry key values are created:

KEY_CURRENT_USER\SOFTWARE\Navidad

KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<BR>Win32Bas
eServiceMOD=C:\WINDOWS\SYSTEM\winsvrc.exe

KEY_CLASSES_ROOT\exefile\shell\open\command\<BR>(default)=C:\WINDOWS\SYSTEM\
winsvrc.exe "%1" %*

KEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command\<BR>(default)=
C:\WINDOWS\SYSTEM\winsvrc.exe "%1" %*

In the last 2 entries above, the previous value was %1" %*

As these registry values use the incorrect file extension, an error message
is displayed when attempting to launch any .EXE file.

This problem can be recovered by opening an MS-DOS prompt and going into the
Windows directory and then copying REGEDIT.EXE as REGEDIT.COM. You can then
run REGEDIT from the START menu and browse to the registry path to remove
the invalid entry mentioned above.

This worm can be terminated on a system - when Navidad is running, click on
the eye in the system tray. When the dialog box with the big button labeled
don't press me (sic) appears, press the little close window button in the
top right corner (marked X)

Another message box pops up , pressing OK on this message box makes the worm
exit - the eye disappears and the program terminates.

To check your system for this virus, and to learn how to protect yourself
from computer viruses, visit the McAfee PC Clinic at
http://clinic.mcafee.com.

selcuk.karaca_at_aski.gov.tr
Unix sys Admin
ASKI - ANKARA

_________________________________________________________

Do You Yahoo!?

Get your free _at_yahoo.com address at http://mail.yahoo.com
Received on Thu Nov 16 2000 - 03:28:22 NZDT

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:41 NZDT