Navidad virus carries an early holiday surprise

Users receive Navidad via e-mail in the form of an attachment with the name NAVIDAD.EXE. Users receive the attachment as a reply message to an e-mail sent to an infected user. Once the virus has infected a PC, it prevents users from launching any programs of the .EXE type, which includes basic applications such as Microsoft Word. Navidad is the Spanish word for Christmas.

McAfee's AVERT (Anti-Virus Emergency Response Team) Labs said more than 40 instances of the virus have been reported in the last three days, and that the virus is proving troublesome because it doesn't contain a specific subject header that can help users identify it. Instead, it comes as a reply message that bears the user's own subject header. The virus is of the Internet worm type, and uses MAPI Outlook to spread.

If the infected attachment is run, a dialogue box appears with an error message reading "UI." An icon of a blue eye then appears next to the clock icon in the system tray at the lower right corner of the PC screen. The trojan virus is saved to the file "winsvrc.vxd" in the Windows system directory.

If a user places the cursor over the eye, a message appears saying, "Lo estamos mirando . . ." or "We are watching it," according to AVERT. If the user clicks the icon, a button pops up with the message "Nunca presionar este botón," or "Never Press this button." If the user presses the button, a message box appears entitled "Feliz Navidad" which reads "Lamentablemente cayó en la tentación y perdió su computadora," or "Merry Christmas, Unfortunately you've given in to temptation and lost you computer."

The virus can be terminated by clicking on the blue eye and closing the dialogue box using the small "X" that appears at the upper right hand corner of the box. The dialogue box should display a large blue button labeled 'don't press me.' When a further message box appears, the user can click 'OK' and terminate the program, making the eye disappear.

The Internet worm is buggy in the sense that it modifies the user's registry to run an executable which does not exist prior to running any .EXE file on the system, AVERT said. This causes the error message to appear when attempting to launch any program not already running at the time the worm was installed to the system.

To terminate the virus, more technical users can also go to the MS-DOS prompt, go into the Windows directory and copy REGEDIT.EXE as REGEDIT.com. The user can then run the file from the Start menu and browse the registry path to remove the infected file.

More information about the virus is on AVERT's Web site at http://www.avertlabs.com/.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ashlee Vance

PC World

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?