Worm on email

 

Don't click it

W32/Navidad

W32/Navidad-B or Emanuel

description w32/navidad

W32/Navidad is an email worm. The worm arrives in an email message with an attachment called NAVIDAD.EXE

unable to run .EXE files

NO PROGRAMS etc.

description Emanuel or W32/Navidad-B

W32/Navidad-B is a variant of the W32/Navidad email-aware worm.   The worm arrives in an email message with an attachment called  EMANUEL.EXE

unable to run .EXE files

NO PROGRAMS etc.

 

For the visitors who doesn't understand it yet.   A program closed can't be opened anymore.
Even to shut down the computer will not work. You must do a hard stop, pull out the plug.
The computer will start again and any infected exe will not run..
You can open the "Start" menu and go to "Restart the computer in MS-dos mode."
Use the removal instructions and the worm will be erased.

 

 

 

 

W32/Navidad


Top

If the attached program is launched, it displays a dialog box containing the text "UI".

w32/navidad UI
It then attempts to read new email messages and to send itself to the senders' addresses.
The worm copies itself into the Windows system directory with the filename WINSVRC.VXD and changes the registry so that it runs on Windows startup and before any file is run.
The worm also installs itself into the system tray.  Presence of a blue EYE icon in the lower right corner of your screen next to the clock in the system tray.
When the cursor is placed over the EYE icon, the text, "Lo estamos mirando..." is displayed. Translated this means, we are watching it. 		w32/navidad eyes
When the "eye" icon is clicked, a button appears reading the text "Nunca presionar este boton".
Translated this means, never press this button.

Nunca presionar este boton - Never press this button

If the user clicks the button, the worm displays a message box with the title "Feliz Navidad" and the text
"Lamentablemente cayo en la tentacion y perdio su computadora".
Translated this reads, Merry Christmas, Unfortunately you've given in to temptation and lose your computer.		 Lamentablemente cayo en la tentacion y perdio su computadora Merry Christmas, Unfortunately you've given in to temptation and lose your computer

 

Removal instructions:    W32/Navidad worm

If you are unable to run .EXE files as a result of a Navidad infection, follow the removal instructions for emanuel on this page.

Only for Windows 95/98 system

  1. On the Windows taskbar, click    Start  >  Programs   >  MS-DOS prompt.
    The command prompt will display the current directory, which should be the Windows directory.
    In most cases that will be displayed as : C:\Windows>
  2. Type      ren REGEDIT.EXE REGEDIT.COM       (Rename regedit from .exe to .com extention.  This will bypass the limitations created by removing the worm prior to editing the registry.   This will allow you to remove references of trojans and internet worms.)
  3. Press Enter
  4. Type    REGEDIT
  5. Press Enter
  6. Modify the following Registry value :
    HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\ exefile\shell\open\command
    and change
    "C:\WINDOWS\SYSTEM\winsvrc.exe "%1" %*
    to
    "%1"  %*    Dont forget the space between 1" and %
    Or delete "C:\WINDOWS\SYSTEM\wintask.exe and let "%1" %* stay
  7. Delete the following registry keys:
    HKEY USERS\.DEFAULT\Software\Navidad       (see point between USERS\.DEFAULTS)
    and
    delete Win32BaseServiceMOD from
    HKEY LOCAL MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\Win32BaseServiceMOD
  8. Restart your computer
  9. Using Windows Explorer, delete the       \WINDOWS\SYSTEM\winsvrc.vxd file.
  10. Delete navidad.exe

 

Only for Windows NT / Windows 2000 system

  1. On the Windows Desktop, double click on the My Computer icon.
  2. Press Ctrl-F A find files windows pops up. This will allow you to search for a specific file.
  3. In Named field, type REGEDIT.EXE
  4. When it find the file, right click on the filename REGEDIT.EXE       A new pop up menu will open
    Select Rename.
  5. Type    REGEDIT.COM
  6. Double click on REGEDIT.COM to start it.
  7. Follow the removal instructions for windows 95/98 from point 6.

 

 

Save Computing : be suspicious of .exe, .shs, vbs, MS Word and MS Excel file attachments.


 

W32/Navidad-B or Emanuel


Top

If the attached program is launched, it displays a dialog box containing the text ";)".

Navidad error :)
It then attempts to read new email messages and to send itself to the senders' addresses.
The worm copies itself into the Windows system directory with the filename WINTASK.EXE and changes the registry so that it runs on Windows startup and before any file is run.
The worm also installs itself into the system tray.   Presence of a FLOWER icon in the lower right corner of your screen next to the clock in the system tray.

w32/navidad flowers in system tray
If the user clicks on the icon, it displays a dialog box with the text "Nunca presionar este boton".
Translated this means, never press this button.

Nunca presionar este boton - Never press this button

If the user clicks the button, the worm displays a dialog box with the title "Emmanuel....." and the text "Emmanuel-God is with us!May god bless u.And Ash, Lk and LJ!!". Emmanuel-God is with us!May god bless u.And Ash, Lk and LJ!!".
If the user does not press the button but instead attempt to close the message the worm displays a message with the title "Emmanuel....." and the text "May GOd bless u;D";

Emmanuel May GOd bless u;D

 

 

Removal instructions:    "emanuel.exe" worm

If you are unable to run .EXE files as a result of a Emanuel infection, follow the removal instructions for emanuel on this page.

Only for Windows 95/98 system

  1. On the Windows taskbar, click    Start  >  Programs   >  MS-DOS prompt.
    The command prompt will display the current directory, which should be the Windows directory.
    In most cases that will be displayed as : C:\Windows>
  2. Type      ren REGEDIT.EXE REGEDIT.COM       (Rename regedit from .exe to .com extention.  This will bypass the limitations created by removing the worm prior to editing the registry.   This will allow you to remove references of trojans and internet worms.)
  3. Press Enter
  4. Type    REGEDIT
  5. Press Enter
  6. Modify the following Registry value :
    HKEY LOCAL MACHINE\SOFTWARE\Classes\exefile\shell\open\command
    and change
    "C:\WINDOWS\SYSTEM\wintask.exe "%1" %*
    to
    "%1" %*    Dont forget the space between 1" and %
    Or delete "C:\WINDOWS\SYSTEM\wintask.exe and let "%1" %* stay
  7. Delete the following registry keys:
    HKEY USERS\.DEFAULT\Software\Emanuel      (see point between USERS\.DEFAULTS)
    and
    delete Win32BaseServiceMOD from
    HKEY LOCAL MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\Win32BaseServiceMOD
  8. Restart your computer
  9. Using Windows Explorer, delete the       \WINDOWS\SYSTEM\Wintask.exe file.
  10. Delete emanuel.exe

 

Only for Windows NT / Windows 2000 system

  1. On the Windows Desktop, double click on the My Computer icon.
  2. Press Ctrl-F A find files windows pops up. This will allow you to search for a specific file.
  3. In Named field, type REGEDIT.EXE
  4. When it find the file, right click on the filename REGEDIT.EXE       A new pop up menu will open
    Select Rename.
  5. Type    REGEDIT.COM
  6. Double click on REGEDIT.COM to start it.
  7. Follow the removal instructions for windows 95/98 from point 6.

 

 

Save Computing : be suspicious of .exe, .shs, vbs, MS Word and MS Excel file attachments.

You're not alone.

Virus Joke

Download this full trial version from AVP, see at Trial Versions
Anti Virus Experts: Your First, Last, and Only Line of Defense

         Anti Virus Experts, AVX 2000 Professional Evaluation, FULLY FUNCTIONAL for 30 days         

 

  mailto Michel Beyens

W32.Blebla.B.Worm | W32.CIH.Spacefiller | BAT.Chone worm | Navidad - Emanuel
Site map | Internet Explorer | email | Backdoors | PC | Macro Warning | Virus Warning

HomePage | Overview Pages
Calpe-Spain | Entertainment | Favorite | Hockey | Reefaquarium | Virus | Waterdog

Sign My GuestbookGo to GuestWorld Lycos View My Guestbook