• PC World
• » Security

Network Associates's McAfee division has upgraded the threat level of a virus named Navidad from low to medium. McAfee says the virus seems to have increased its rate of infection recently, although the malicious program actually contains a bug that allows you to render it inactive.

People receive Navidad via e-mail in the form of an attachment named Navidad.exe. Correspondents receive the attachment as a reply message to an e-mail sent to an infected user. Once the virus has infected a PC, it prevents you from launching any programs of the .exe type, which includes basic applications such as Microsoft Word. Navidad is the Spanish word for Christmas (See "Feel Secure? Don't Be Sure--Even Microsoft Got Hacked.")

McAfee's AVERT (Anti-Virus Emergency Response Team) says more than 40 instances of the virus have been reported in the last three days. This particular virus is proving troublesome because it doesn't contain a specific subject header that can help people identify it. Instead, it comes as a reply message that bears the recipient's own subject header. The virus is of the Internet worm type (see "Worry About the Worm") and uses MAPI Outlook to spread.

An Eye is Your Clue (and Cure)

If the infected attachment is run, a dialog box appears with an error message reading "UI." An icon of a blue eye then appears next to the clock icon in the system tray at the lower right corner of the PC screen. The Trojan horse virus is saved to the file "winsvrc.vxd" in the Windows system directory.

If you place the cursor over the eye, a message appears saying, "Lo estamos mirando ..." or "We are watching it," according to AVERT. If you click the icon, a button pops up with the message "Nunca presionar este botón," or "Never press this button." If you press the button, a message box titled "Feliz Navidad" appears, which reads "Lamentablemente cayó en la tentación y perdió su computadora," or "Merry Christmas, unfortunately you've given in to temptation and lost your computer."

You can terminate the virus by clicking on the blue eye and closing the dialog box, using the small "X" that appears at the upper right hand corner of the box. The dialog box should display a large blue button labeled "don't press me." When another message box appears, you can click "OK" and terminate the program, making the eye disappear.

The Internet worm is buggy in the sense that it modifies your registry to run an executable that does not exist, prior to running any .exe file on the system, AVERT says. This causes an error message to appear when you attempt to launch any program not already running at the time the worm was installed on the system.

To terminate the virus, the more technical among you can also go to the MS-DOS prompt, go into the Windows directory and copy REGEDIT.exe as REGEDIT.com. Then you can run the file from the Start menu and browse the registry path to remove the infected file.

• See more like this:
• worm,
• Trojan,
• virus,
• navidad,
• Network Associates,
• AVERT