W32.Navidad is a mass mailing worm program. The worm replies to all Inbox messages that contain a single attachment. Emails that are infected with this worm can be received by any email client. The worm utilizes the existing email subject line and body and attaches itself as NAVIDAD.EXE. Due to the bugs in the code, after being executed, the worm causes your system to be unusable. 
 

Symptoms of the Virus

Whenever an .exe file is executed, the operating system prompts the user for the location of the file WINSVRC.EXE. The net result of this is that no program files can be launched. This may cause system instability and the system may have difficulty rebooting.

Next, the worm begins the email routine. The worm utilizes MAPI to send mail and works with any MAPI compliant email client including Microsoft Outlook. The worm checks for all messages in your Inbox and replies to those messages that have one attachment. The reply consists of the same subject line and body, but contains the worm attached as NAVIDAD.EXE.

Finally, the worm places a blue eye icon in the system tray of the taskbar. When the mouse pointer is over the icon, the worm displays a yellow dialog box that states:

Lo estamos mirando...
(In English: We are watching it...)

When you click the icon, a dialog box with a button appears. The button contains the following text:

Nunca presionar este boton 
(In English: Never press this button) 

If the user presses the button, an error box with the title:

Feliz Navidad 
(In English: Merry Christmas)

displays the message:

Lamentablemente cayo en la tentacion y perdio su computadora 
(In English: Unfortunately you've fallen to temptation and have lost your computer). 

If you close the dialog box by clicking the X instead of clicking the button, the following message appears:

buena eleccion 
(In English: Good selection).

and exits. Despite the warning of losing the computer, no further changes are made to the system.
 

To Remove the Virus (on a Windows 95/98 system)

1. On the Windows taskbar, click Start -> Programs -> MS-DOS Prompt. The command prompt will display the current directory, which should be the Windows directory. In most cases that will be displayed as:

C:\WINDOWS>

2. On the command line, type 
3. Press Enter.
4. Type regedit.
5. Press Enter.
6. Modify the following Registry value:

HKEY_CLASSES_ROOT\exefile\shell\open\command

7. Replace the value

"C:\WINDOWS\SYSTEM\winsvrc.exe "%1" %*

with

"%1" %*

For clarity, these seven characters are the following: 

double quote, percent sign, the numeral one, double quote, space, percent sign, asterisk. 
Don't forget the space.

8. Delete the registry key:

HKEY_USERS\.DEFAULT\Software\Navidad

9. Delete the value "Win32BaseServiceMOD" from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

10. Restart your computer.
11. Using Windows Explorer, delete the \WINDOWS\SYSTEM\winsvrc.vxd file.

 

If you have, or think you have been infected with any type of virus or trojan program please contact your desktop consultant or the security staff to report your instance so that we can help to prevent others from also being infected.