Digg this story   Add to del.icio.us  
The Virus that Stole Christmas
Kevin Poulsen, SecurityFocus 2000-11-10

Troublesome new virus messes with victims' minds.

Virus watchers are warning about an email-borne contagion called Navidad, Spanish for Christmas, that's spreading throughout South America and the United States.

"Yes, it's real, and, yes, it's spreading," says Joe Wells, founder of WildList.org, a volunteer group that tracks computer viruses in the wild. "We've seen it in the U.S., Panama, Brazil... It's fairly widespread in Peru."

Network Associates' McAfee antivirus team upgraded the virus to a "Medium On Watch" risk level today, and reported that more than ten Fortune 500 companies have been afflicted.

The festive malware arrives as an attachment called navidad.exe. If executed, it installs itself in the victim's system tray, next to the clock, where it appears as an icon of a small blue eye. Clicking on the eye produces a button labeled "Nunca presionar este boton", Spanish for "Never press this button."

Victims who ignore that warning and click the button are treated to a message box with the title "Feliz Navidad", and the message "Lamentablemente cayo en la tentacion y perdio su computadora," - in English: "Merry Christmas. Unfortunately you've given in to temptation and lose your computer."

"We think it may have come from Latin America," says Patrick Martin, anti-virus program manager at Symantec, which also upgraded the virus to a "medium" risk ranking.

Target: Outlook
Despite its threatening tone, the program does not deliberately destroy anything on the victim's computer. But a programming error by the uncredited author causes Navidad to damage the system registry in a way that makes it impossible to execute most programs with a .exe attachment.

The virus spreads by replying to messages that arrive in a victim's inbox. It relies on Microsoft Outlook's MAPI interface, in much the same way as the LoveLetter and Melissa viruses and their variants.

Unlike those earlier viruses, Navidad is spreading slowly. "We don't tend to see the big corporation getting hit by these kinds of viruses any more," says Symantec's Martin. Companies that are large enough to have their own IT department are increasingly filtering out viruses before they get onto the corporate network, and last June, Microsoft released an optional patch for Outlook that blocks executable attachments altogether. "The larger companies have tightened their filtering," Martin says.

The modern age of Internet viruses began in March of 1999, when the Melissa virus raged across the net. New Jersey programmer David Smith plead guilty in December to writing and launching the virus, and was to have been sentenced this Monday, November 13th.

That date was recently rescheduled for February 2001 -- the third postponement of Smith's sentencing this year. Federal prosecutors and Smith's defense attorney are mum on the reason for the delays.

    Digg this story   Add to del.icio.us  
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus