Aliases: I-Worm.Navidad.a, W32/Navidad.gen@M, Win32.Navidad, W32/Navidad, WORM_NAVIDAD.A
Variants: W32/Watchit, w32/navidad@m

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Fast
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Hard
Platform: W32
Discovered: 03 Nov 2000
Damage: high

Characteristics: W32.Navidad is a very dangerous mass-mailing worm but not just a worm but rather a program. This uses a MAPI which automatically replies to all inbox messages that contain a single attachment. It continuously searches for messages located in the box that have only one attachment. If it doesn’t, then it will not infect it. It can also propagate itself through Microsoft Outlook. However, email messages that are infected with this worm can be received by any email client. Gmail account, Yahoo account, Hotmail, AOL or any server that would provide receiving and sending email messages can be targets of this program worm.

More details about W32.Navidad

It makes use of email subject line and body. As its name says, it contains attachment named as, “Navidad.exe. “ The program contains a lot of bugs in its code when it was written by the author as such, once opened, it causes your system to be unusable. Finally, the worm puts a blue eye icon in the system tray of the taskbar. When the mice selector is over the icon, the worm displays a yellow dialog box that shows a message with the cryptic letters saying, “Lo estamos mirando... “ In English, this means, “we are watching it....” When you select the icon, a dialog box with a button shows. The button on the other hand, shows the text saying,” Nunca presionar este boton.” In English this means, never press this button. If you select the button again, an error box will show with the title saying, “Feliz Navidad.” This means, “Merry Christmas.” When it greets you, another message is also shown saying, Lamentablemente cayo en la tentacion y perdio su computadora,” which means, “Unfortunately you've fallen to temptation and have lost your computer.” If you close the dialog box by selecting the “X” button instead of clicking the action button, the following message appears, “buena eleccion,” which means, “Good selection.”

Then it automatically exits. Despite the warning of losing the computer, no further changes are made to the system. Aside from displaying tons of Spanish messages, the worm also self duplicates in windows system folders as “Winsvrc.vxd.” Whenever an .exe file is executed, the Windows prompts you for the location of Winsvrc.exe. The net result is that no program files can be launched. This may cause system instability and you may have difficulty restarting the system. Some of the reported features of the W32.Navidad program may include the ability to spread malicious threats, perform updates silently, download unwanted files, open ports, enable influence from a remote attacker, connect itself to the Internet, install additional software, lacking uninstall procedures and has built-in adapter.