Navidad virus

W32.Navidad is a mass-mailing worm program or virus, discovered in December 2000 that ran on Windows 95, Windows 98, Windows NT, and Windows 2000 systems. It was designed to spread through email clients such as Microsoft Outlook while masquerading as an executable electronic Christmas card. Infected computers can be identified by blue eye icons which appear in the Windows system tray.

Description
When the navidad.exe email attachment is run the files installs itself as "WINSVRC.VXD" in the \Windows\System directory. The worm modifies the default EXE file startup key in the Windows Registry, [HKEY_CLASSES_ROOT\exefile\shell\open\command], to allow the program to run any time any exe file is run. The worm also creates a startup key to ensure that it runs on startup. A bug in the Navidad virus installs the Registry Keys for "WINSVRC.EXE" even though the worm itself is installed with a .VXD file extension, as a result the worm prevents .exe files from running and does not run on startup. The error "Windows cannot find winsvrc.exe" will be displayed instead.

During installation a fake error message is displayed. After the user closes the message a blue eye icon appears on the system tray. Users who click on the eye icon will be presented with a dialog box that displays the text "Nunca presionar este boton" as a button. When clicked a variety of different messages, including one which states: "Emmanuel-God is with us!May god bless u.And Ash, Lk, and LJ!!" and "Lamentablemente cayo en la tentacion y perdio si computadora" can be displayed depending on the version of the virus the user is infected with.

When the worm is activated it uses the MAPI32.DLL library to connect to Microsoft Outlook or Exchange to send itself to the email addresses belonging to the senders of any unread emails in the victim's inbox. This will send the worm to every address the victim receives an email from until it is removed from the system.

Navidad.b Variant
Because the original Navidad virus would fail to run an, alternate variant of the virus became more popular. In some cases, Navidad.b would spread as "emanuel.exe" and install itself as "wintask.exe" in the Windows System directory to make it appear like a native Windows executable. The Navidad.b version of the virus fixed the issue that prevented exe files from running, instead allowing exe files to run as well as running the worm at the same time as initially intended. This also allowed the virus to spread more effectively.

Impact
The worm itself did not destroy data or seriously damage any infected computers, damage was limited to preventing exe files from running in the original version of the worm. This virus also did not spread as fast as other similar email worms such as Melissa or ILOVEYOU and caused limited disruptions in email services.

Antivirus researcher at McAfee, Vincent Gullotto, reported that at least 10 Fortune 500 companies had been infected by the worm, although he declined to specify which companies were impacted by the worm.