Navidad virus
{{Short description|Mass-emailing worm program}}
W32.Navidad is a mass-mailing worm program or virus, discovered in December 2000 that ran on Windows 95, Windows 98, Windows NT, and Windows 2000 systems.{{Cite journal |last=Cullison |first=David |date=2000-11-20 |title=Merry Christmas - The NAVIDAD Virus |url=https://www.giac.org/paper/gsec/198/merry-christmas-navidad-virus/100681 |website=giac.org |pages=1}} It was designed to spread through email clients such as Microsoft Outlook{{cite web |title=W32.Navidad |url=http://www.symantec.com/security_response/writeup.jsp?docid=2000-122109-3750-99 |archive-url=https://web.archive.org/web/20061110173730/http://www.symantec.com/security_response/writeup.jsp?docid=2000-122109-3750-99 |url-status=dead|archive-date=November 10, 2006 |website=Symantec |accessdate=27 February 2018 |language=en}} while masquerading as an executable electronic Christmas card.{{cite web |title=A short history of Christmas malware |url=https://grahamcluley.com/christmas-malware-short-history/ |website=Graham Cluey |accessdate=3 January 2025 |date=15 December 2010}} Depending on the variant, infected computers can be identified by blue eye icons or ICQ logos which appear in the Windows system tray.
Description
When the navidad.exe email attachment is run the files installs itself as "winsvrc.vxd" in the \Windows\System directory. The worm modifies the default .exe file startup key in the Windows Registry, [HKEY_CLASSES_ROOT\exefile\shell\open\command], to allow the program to run any time any .exe file is run. The worm also creates a startup key to ensure that it runs on startup. A bug in the Navidad virus installs the Registry Keys for "winsvrc.exe" even though the worm itself is installed with a .vxd file extension. As a result the worm prevents .exe files from running and does not run on startup{{Cite web |title=Worm:W32/Navidad Description {{!}} F-Secure Labs |url=https://www.f-secure.com/v-descs/navidad.shtml |access-date=2022-04-05 |website=www.f-secure.com |language=en}} and the error "Windows cannot find winsvrc.exe" will be displayed instead.{{cite web |title=What is the Navidad email worm, and how do I get rid of it? |url=https://kb.iu.edu/d/ajbs |website=Indiana University Knowledge Base |archive-url=https://web.archive.org/web/20240124120410/https://kb.iu.edu/d/ajbs |archive-date=2024-01-24 |access-date=2025-01-03}}
During installation a fake error message is displayed. After the user closes the message a blue eye icon or the ICQ logo appears on the system tray. Users who click on the eye icon will be presented with a dialog box that displays the text "Nunca presionar este boton" ({{translation|"Never press this button"}}) as a button. When clicked a variety of different messages, including ones which state "Emmanuel-God is with us!May god bless u.And Ash, Lk, and LJ!!" and "Lamentablemente cayo en la tentacion y perdio su computadora" ({{translation|"Unfortunately you fell into temptation and lost your computer"}}) can be displayed depending on the version of the virus the user is infected with.
When the worm is activated it uses the MAPI32.DLL library to connect to Microsoft Outlook or Exchange to send itself to the email addresses belonging to the senders of any unread emails in the victim's inbox. This will send the worm to every address the victim receives an email from until it is removed from the system.{{Cite web |last=Doctors |first=Data |title=Navidad (Christmas) virus/worm (Question 2585){{!}} Data Doctors Free Help |url=https://www.datadoctors.com/help/question/2585-W32Navidad-Christmas-virusworm-alert-111000/ |access-date=2022-04-05 |website=Data Doctors Computer Services |language=en-us}}
= Navidad.b Variant =
Because the original Navidad virus would fail to run, an alternate variant of the virus became more popular. In some cases, Navidad.b would spread as "emanuel.exe" and install itself as "wintask.exe" in the Windows System directory to make it appear like a native Windows executable.{{cite web |title=Retooled Navidad virus on the loose |url=https://www.cnet.com/tech/services-and-software/retooled-navidad-virus-on-the-loose/ |website=CNET |language=en |archive-url=https://web.archive.org/web/20220813135419/https://www.cnet.com/tech/services-and-software/retooled-navidad-virus-on-the-loose/ |archive-date=2022-08-13 |access-date=2025-01-03}} The Navidad.b version of the virus fixed the issue that prevented .exe files from running, instead allowing .exe files to run as well as running the worm at the same time as initially intended. This also allowed the virus to spread more effectively.
Impact
The worm itself did not destroy data or seriously damage any infected computers, damage was limited to preventing exe files from running in the original version of the worm. This virus also did not spread as fast as other similar email worms such as Melissa or ILOVEYOU and caused limited disruptions in email services.{{cite web |title='Navidad' computer virus poses moderate risk |url=https://us.cnn.com/2000/TECH/computing/11/10/navidad/index.html |website=CNN |language=en |archive-url=https://web.archive.org/web/20040206193037/https://us.cnn.com/2000/TECH/computing/11/10/navidad/index.html |archive-date=2004-02-06 |access-date=2025-01-03}}
Antivirus researcher at McAfee, Vincent Gullotto, reported that at least 10 Fortune 500 companies had been infected by the worm, although he declined to specify which companies were impacted by the worm.{{Cite web |title=A Not-So-Feliz 'Navidad' |url=https://www.cbsnews.com/news/a-not-so-feliz-navidad/ |access-date=2022-04-06 |website=www.cbsnews.com |language=en-US}}