The worm arrives as an e-mail attachment, NAVIDAD.EXE. After having opened the attachment, the worm copies itself to the Windows system directory as winsvrc.vxd and creates two entries in the registry.
It writes the winsvrc.exe value for the Win32BaseServiceMOD key into HKEY_ROOT_CLASSES\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. This assures that Navidad is launched at system startup.
It writes the value of the HKEY_LOCAL_MACHINE\exefile\shell\open\command key "winsvrc.exe %1 %*". This assures that before launching EXE files, the worm get full control. Due to a small programming error (the worm makes the entry with VXD extension instead of EXE) none of the settings will work so none of the EXE programs can be launched which results that the system cannot be used.
Navidad displays a UI text message window during its running.
To remove the virus manually, the WINSVRC.VXD file must be deleted than the REGEDIT.EXE program should be renamed to REGEDIT.COM and launched. The value of the HKEY_LOCAL_MACHINE\exefile\shell\open\command key should be set to the original "%1" %* value.
| 
Nem
Low