Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Navidad.16896.Worm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 28 Nov 2000 03:00:00
Description created 07 Jan 2001 03:00:00
Description updated 08 Nov 2001 02:32:00
Malware type WORM
Alias W32/Navidad.B
Spreading mechanism EMAIL
Summary None

W32/Navidad.16896.Worm

Spreading

This variant usually arrives in email with an attachment named Emanuel.exe. It is quite similar to W32/Navidad.32768 (aka W32/Navidad.A).

It uses MAPI compatible email clients to propagate. If no such program is found it will show a pop-up message telling you to run MS Outlook, and set this as your default email client.

It then traverses through all emails in the inbox and reply to all emails that contains exactly one attachement. It does not matter whether the emails in the inbox are read or unread.

Payload Details

When the worm is executed it shows the following message box:


(Image not available)


It drops a file named Wintask.exe to Windows system folder (usually c:\Windows\System\) and creates a Registry key to load this file every time Windows is started.

Unlike W32/Navidad.32768, this variant succeeds in its attempt to load itself each time Windows is started and as a result of this, it will be loaded and sends out infected emails each time Windows is started.

W32/Navidad.B variants creates the following Registry keys:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Win32BaseServiceMOD=C:\WINDOWS\SYSTEM\Wintask.exe

HKEY_CURRENT_USER\Software\emanuell

HKEY_CLASSES_ROOT\exefile\shell\open\command
Default=C:\WINDOWS\SYSTEM\wintask.exe "%1\" %*

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:15