Users receive Navidad via e-mail in the form of an attachment with the name NAVIDAD.EXE. Users receive the attachment as a reply message to an e-mail sent to an infected user. Once the virus has infected a PC, it prevents users from launching any programs of the .EXE type, which includes basic applications such as Microsoft Word. Navidad is the Spanish word for Christmas.
McAfee's AVERT (Anti-Virus Emergency Response Team) Labs said more than 40 instances of the virus have been reported in the last three days, and that the virus is proving troublesome because it doesn't contain a specific subject header that can help users identify it. Instead, it comes as a reply message that bears the user's own subject header. The virus is of the Internet worm type, and uses MAPI Outlook to spread.
If the infected attachment is run, a dialogue box appears with an error message reading "UI." An icon of a blue eye then appears next to the clock icon in the system tray at the lower right corner of the PC screen. The trojan virus is saved to the file "winsvrc.vxd" in the Windows system directory.
If a user places the cursor over the eye, a message appears saying, "Lo estamos mirando . . ." or "We are watching it," according to AVERT. If the user clicks the icon, a button pops up with the message "Nunca presionar este botón," or "Never Press this button." If the user presses the button, a message box appears entitled "Feliz Navidad" which reads "Lamentablemente cayó en la tentación y perdió su computadora," or "Merry Christmas, Unfortunately you've given in to temptation and lost you computer."
The virus can be terminated by clicking on the blue eye and closing the dialogue box using the small "X" that appears at the upper right hand corner of the box. The dialogue box should display a large blue button labeled 'don't press me.' When a further message box appears, the user can click 'OK' and terminate the program, making the eye disappear.
The Internet worm is buggy in the sense that it modifies the user's registry to run an executable which does not exist prior to running any .EXE file on the system, AVERT said. This causes the error message to appear when attempting to launch any program not already running at the time the worm was installed to the system.
To terminate the virus, more technical users can also go to the MS-DOS prompt, go into the Windows directory and copy REGEDIT.EXE as REGEDIT.com. The user can then run the file from the Start menu and browse the registry path to remove the infected file.
More information about the virus is on AVERT's Web site at http://www.avertlabs.com/.