This is an Internet worm which uses MAPI Outlook to spread. It will be received by email as a response to a sent email message to an infected user, with the attachment NAVIDAD.EXE.

When run, this worm displays a dialog box entitled, "Error" which reads "UI". A blue eye icon appears in the system tray next to the clock in the lower right corner of the screen, and a copy of the trojan is saved to the file winsvrc.vxd in the WINDOWS SYSTEM directory. The following registry key values are created:

HKCU\SOFTWARE\Navidad

HKLM\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\
Win32BaseServiceMOD=C:\WINDOWS\
SYSTEM\winsvrc.exe

HKCR\exefile\shell\open\command\
(default)=C:\WINDOWS\SYSTEM\winsvrc.exe "%1" %*

HKLM\Software\CLASSES\exefile\shell\open\command\
(default)=C:\WINDOWS\SYSTEM\winsvrc.exe "%1" %*

In the last 2 entries above, the previous value was

"%1" %*

As these registry values use the incorrect file extension, an error message is displayed when attempting to launch any .EXE file.

This problem can be recovered by opening an MS-DOS prompt and going into the Windows directory and then copying REGEDIT.EXE as REGEDIT.COM. You can then run REGEDIT from the START menu and browse to the registry path to remove the invalid entry mentioned above.

This worm can be terminated on a system - when Navidad is running, click on the eye in the system tray. When the dialog box with the big button labeled don't press me (sic) appears, press the little close window button in the top right corner (marked X)

Another message box pops up , pressing OK on this message box makes the worm exit - the eye disappears and the program terminates.

Indications Of Infection - Presence of the EYE icon in the lower right corner of your screen
- When the cursor is placed over the EYE icon, the text, "Lo estamos mirando..." is displayed.
Translated this means, we are watching it.
- When the "eye" icon is clicked, a button appears reading, "Nunca presionar este boton".
Translated this means, never press this button.
- When the button is pressed, a messages box is displayed entitled, "Feliz Navidad", which
reads "Lamentablemente cayo en la tentacion y perdio su computadora". Translated this reads,
Merry Christmas, Unfortunately you've given in to temptation and lose your computer.

Method Of Infection W32/Navidad@M is spreading on its own despite a bug in the program.
This worm will arrive as an email attachment with the name Navidad.exe. Running the attachment infects your machine.

This worm can be terminated on a system - when Navidad is running, click on the eye in the system tray. When the dialog box with the big button labeled don't press me (sic) appears, press the little close window button in the top right corner (marked X)

Another message box pops up , pressing OK on this message box makes the worm exit - the eye disappears and the program terminates.

Removal Instructions

Removal of the registry entry can be accomplished when using the 4.1.10 engine or higher.
Although the 4.0.70 engine can remove this worm, the registry data will not be corrected.

One trick that AVERT has discovered is to rename the registry editing program from their original .EXE to a .COM extension (as in REGEDIT.COM). This will by pass the limitations created by removing the worm prior to editing the registry. This will allow you to remove references of trojans and Internet worms.

Manual Removal Instructions

There are 2 options for manual removal:

A1) Identify and note the files associated with this worm as detected by the scanner.

A2) Download this UNDO.REG file, and open it.

A3) Click START|RUN, type REGEDIT and hit ENTER.

A4) Remove any keys that run the main worm under

HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows\
CurrentVersion\Run\

A5) Exit the Registry

A6) Restart the system

A7) Delete the file(s) associated with this worm

Alternative Manual Instructions

B1) Identify and note the files associated with this worm as detected by the scanner.

B2) Click START|RUN, type
 

COMMAND /C COPY %WINDIR%\
REGEDIT.EXE %WINDIR%\REGEDIT.COM

and hit ENTER

B3) Click START|RUN, type REGEDIT.COM and hit ENTER

B4) Remove references to the trojan from these keys of the registry

HKEY_CLASSES_ROOT\exefile\shell\open\command\

HKEY_LOCAL MACHINE\Software\
CLASSES\exefile\shell\open\command

They should contain only the value not including brackets
[''%1'' %*].

B5) Remove any keys that run the main worm under

HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\

B6) Exit the Registry

B7) Restart the system

B8) Delete the worm program(s). If all is well the files should be deleted OK. If you get an error message saying that windows is unable to delete the file because it is in use, then you have made an error in the above procedure and should repeat the process.