Mungkin ini bisa membantu.....
Symptoms
- Presence of the EYE icon in the lower right corner of your screen
- When the cursor is placed over the EYE icon, the text, "Lo estamos
mirando..." is displayed. Translated this means, we are watching it.
- When the "eye" icon is clicked, a button appears reading, "Nunca
presionar
este boton". Translated this means, never press this button.
- When the button is pressed, a messages box is displayed entitled, "Feliz
Navidad", which reads "Lamentablemente cayo en la tentacion y perdio su
computadora". Translated this reads, Merry Christmas, Unfortunately you've
given in to temptation and lose your computer.
Summary
Virus Name Risk Assessment
W32/Navidad@M Medium On Watch
Virus Information
Discovery Date: 11/03/2000
Origin: South America
Length: 32,768
Type: Virus
SubType: Internet Worm
Minimum Dat: 4105
Minimum Engine: 4.0.70
DAT Release Date: 11/10/2000
Description Added: 11/03/2000
Virus Characteristics
Update November 10, 2000:
AVERT has raised the risk assessment from LOW to MEDIUM ON WATCH today
based
on the number of samples received for this Internet worm.
This is an Internet worm which uses MAPI Outlook to spread. It will be
received by email as a response to a sent email message to an infected
user,
with the attachment NAVIDAD.EXE.
When ran, this worm displays a dialog box entitled, "Error" which reads
"UI". A blue eye icon appears in the system tray next to the clock in the
lower right corner of the screen, and a copy of the trojan is saved to the
file "winsvrc.vxd" in the WINDOWS SYSTEM directory. The following registry
key values are created:
HKEY_CURRENT_USER\SOFTWARE\Navidad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Win32BaseServiceMOD=C:\WINDOWS\SYSTEM\winsvrc.exe
HKEY_CLASSES_ROOT\exefile\shell\open\command\
(default)=C:\WINDOWS\SYSTEM\winsvrc.exe "%1" %*
HKEY_LOCAL MACHINE\Software\CLASSES\exefile\shell\open\command\
(default)=C:\WINDOWS\SYSTEM\winsvrc.exe "%1" %*
In the above entry, the previous value was
"%1" %*
As these registry values use the incorrect file extension, an error message
is displayed when attempting to launch any .EXE file.
This problem can be recovered by opening an MS-DOS prompt and going into
the
Windows directory and then copying REGEDIT.EXE as REGEDIT.COM. You can then
run REGEDIT from the START menu and browse to the registry path to remove
the invalid entry mentioned above.
This worm can be terminated on a system - when Navidad is running, click on
the eye in the system tray. When the dialog box with the big button labeled
don't press me (sic) appears, press the little close window button in the
top right corner (marked X)
Another message box pops up , pressing OK on this message box makes the
worm
exit - the eye disappears and the program terminates.
Symptoms
- Presence of the EYE icon in the lower right corner of your screen
- When the cursor is placed over the EYE icon, the text, "Lo estamos
mirando..." is displayed. Translated this means, we are watching it.
- When the "eye" icon is clicked, a button appears reading, "Nunca
presionar
este boton". Translated this means, never press this button.
- When the button is pressed, a messages box is displayed entitled, "Feliz
Navidad", which reads "Lamentablemente cayo en la tentacion y perdio su
computadora". Translated this reads, Merry Christmas, Unfortunately you've
given in to temptation and lose your computer.
Method Of Infection
W32/Navidad appears to be spreading on its own despite a bug in the
program.
This worm will arrive as an email attachment with the name Navidad.exe.
Running the attachment infects your machine.
This worm can be terminated on a system - when Navidad is running, click on
the eye in the system tray. When the dialog box with the big button labeled
don't press me (sic) appears, press the little close window button in the
top right corner (marked X)
Another message box pops up , pressing OK on this message box makes the
worm
exit - the eye disappears and the program terminates.
Removal Instructions
Update November 10, 2000:
AVERT has raised the risk assessment from LOW to MEDIUM ON WATCH today.
Links for the EXTRA drivers are below:
VirusScan, NetShield, GroupShield
<
http://a64.g.akamai.net/7/64/2015/2000-11-10-09-NAVID/download.nai.com/prod
ucts/extrafiles/NAVID-4.zip> and like products with 4.0.70 engine
EXTRA.DAT
Toolkit 8.0
<
http://a64.g.akamai.net/7/64/2015/2000-11-10-09-NAVID/download.nai.com/prod
ucts/extrafiles/NAVID-8.zip> EXTRA.DRV
-----------------------
This Internet worm is buggy in the sense that it modifies the registry to
run an executable which does not exist prior to running any EXE file on the
system. This will cause an error message when attempting to launch any
program not already running at the time the worm was installed to the
system.
Removal of the registry entry can be accomplished when using the 4.1.00
engine which is scheduled for release November 10, 2000 with the SUPERDAT
update. Although 4.0.70 engine can reove this worm, the registry data will
not be modified or corrected.
To remove the entry via a registry script file, download this undo.zip
<http://download.nai.com/products/MCAFEE-AVERT/stand_alone/undo.zip> file,
extract the UNDO.REG file and copy to the STARTUP folder of the affected
system. Reboot the affected system.
Manual registry entry removal instructions:
The order to remove this trojan is complicated by the depth to which the
trojan hooks the operating system.
One trick that AVERT has discovered is to copy the registry editing
programs
from their original .EXE to a .COM extension (as in REGEDIT.COM). This will
by pass the limitations created by removing the trojan prior to editing the
registry. For example, in Windows 95/98, the registry can be loaded and
edited using the program named REGEDIT.EXE while in Windows NT, you use
REGEDT32.EXE. Rename these to a .COM extension and they will still execute
and allow you remove references of trojans and Internet worms.
1) Identify and note the files associated with this trojan as detected by
the scanner - do not remove the trojan at this time. If you have already
removed the trojan, you will not be able to run REGEDIT steps below on the
affected system. Proceed instead to step 11 listed below.
2) Click START|RUN, type %WINDIR% and hit ENTER
3) Type in at the command prompt
COPY REGEDIT.EXE REGEDIT.COM
then hit ENTER, then type EXIT and hit ENTER
4) Click START|RUN, type REGEDI
5) Remove references to the trojan from these keys of the registry
HKEY_CLASSES_ROOT\exefile\shell\open\command\
HKEY_LOCAL MACHINE\Software\CLASSES\exefile\shell\open\command\
They should contain only the value not including brackets [''%1'' %*].
6) Remove any keys that run the main trojan under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\
7) Exit the Regedit
8) Rename REGEDIT.COM to REGEDIT.EXE
9) Restart the system
10) Delete the trojan program(s). If all is well the files should be
deleted
OK. If you get an error message saying that windows is unable to delete the
file because it is in use, then you have made an error in the above
procedure. Repeat steps 1 to 9 and try again.
Variants
Name Type Sub Type Differences
no known variants
Aliases
Name
I-Worm.Navidad
TROJ_NAVIDAD.A
W32.Navidad
W32/Watchit
Win32/Navidad.Worm
----- Original Message -----
From: "Edwin F" <[EMAIL PROTECTED]>
To: "Master" <[EMAIL PROTECTED]>
Sent: Wednesday, November 15, 2000 10:37 AM
Subject: [MasterWeb] NAVIDAD
Pada tau navidad.exe gak? kemaren gue dapet email isinya gituan?
Edwin F
www.esolusi.com
Analisa Web Berhadiah total Rp.500.000 + Tshirt & Topi :
http://www.master.web.id/cgi-bin/webkritik/oktober.cgi
-------[ Master Web Indonesia - www.master.web.id ] -------
Moderator : [EMAIL PROTECTED]
Berlangganan : [EMAIL PROTECTED]
Stop Berlangganan : [EMAIL PROTECTED]
-----------------------------------------------------------
