Since the following article was published, antivirus vendor Sophos has issued an alert warning of a new variant of the Navidad virus. According to Sophos Navidad.B arrives in an email message with an attachment called EMANUEL.EXE. If the attachment is opened, it displays a small dialog box with a smiley emoticon displayed and an "OK" button. Unlike the buggy original version, Navidad.B successfully installs itself to the system and registry as "WINTASK.EXE", thereby launching itself at startup.
Just In Time For The Holidays…
Navidad, MTX, Music and Hybris continue to spread their malicious version of holiday cheer. Navidad renders all executables incapable of running. If you can’t launch an executable, how can you run antivirus software? MTX blocks access to many antivirus vendor sites, making updating for removal – or protection of future viruses – nearly impossible. The Music worm disguises itself as a Christmas tune. It’s self-updating feature makes predicting future functionality guesswork. Hybris, another self-updating worm, posts its new binaries to the very newsgroup frequented by antivirus professionals.
Navidad Infecting Windows 32-bit systems, Navidad is a worm that arrives as an email attachment named Navidad.exe. There's a bug in the worm that causes other executables not to run. It copies itself to the Windows\System directory as WINSVRC.VXD. However, it registers itself in the system incorrectly, using the name WINSVRC.EXE After infection, if you attempt to launch an application, you'll get the following error message:
Windows cannot find WINSVRC.VXD This application is needed for opening files of type "Application"
MTX
Combining a worm, virus, and Trojan component, MTX blocks access to certain antivirus vendor sites – effectively preventing users from downloading the protection they need. Not only will infected users be unable to disinfect MTX, they are also left vulnerable to other viruses newly released in the wild. Symantec has provided a fix – free for any user – that will remove the blockade and allow access to all antivirus vendor sites. Infected users will need to download the tool from a non-infected system and copy it to a floppy disk. Additionally, current Norton AntiVirus users are provided with an alternate download site for updating at Tucows. Infected users can also visit Command Software’s MTX Help Center. This is a non-blocked site providing opportunities to download antivirus software to detect and remove MTX, as well as free online scanning of your system.
Music
Displaying a graphical Merry Christmas greeting to disguise its malicious intent, Music is a VBScript worm affecting Windows 32-bit systems. Music arrives as an email attachment, aptly named MUSIC.EXE. If executed, the worm infects with self-updating capabilities. To defend against this worm, keep your antivirus software up-to-date. If you do not currently have antivirus protection, visit the Free Protection center to download free or trial versions of antivirus software.
Hybris
Another Win32 system infector, the Hybris worm infects WSOCK32.DLL, meaning it is activated each time a person connects to the Internet. It also attaches itself to all outgoing messages sent from the victim's machine. The worm self-updates via binary postings to the alt.comp.virus newsgroup. These postings are, of course, anonymous. Estimates are that 32 different plug-ins may be available. F-Secure provides a complete description, including affected system settings.
Summary
Each of these worms rely on email attachments to achieve widespread. These attachments are a modern day Pandora Box. Users who cannot resist the temptation of opening attachments will likely find themselves infected. The rule of thumb is, do not open unexpected email attachments, even from known persons. If you didn’t expect it and don’t need it, delete it. For more information on defending against computer viruses, consult the article: While I’ve Got You On The Phone.
| 