Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Malware :: navidad.txt

About the Navidad worm and its design




From sugien@my-deja.com Fri Dec 15 12:02:05 2000
Newsgroups: alt.comp.virus
Subject: Warning for the future and part of a possible solution
From: Sugien <sugien@my-deja.com>
Date: Fri, 15 Dec 2000 20:02:05 GMT

with the advent of the NAVIDAD.EXE (or Feliz Navidad, Spanish for Merry
Christmas)
is a new worm, with a new twist: If you send an e-mail to someone
whose computer is infected, it is designed to send you an automatic
reply, with a file called navidad.exe attached. Clicking on that file
will infect your PC, and it will spread after that by getting
addresses from your unread e-mails and sending itself out to people
who write to you.

Navidad shouldn't get far because it has a major design flaw, but it
has been reported "in the wild." Since it modifies the Registry
incorrectly, it should simply cause an infected computer to stop
functioning, and even prevent Navidad from functioning, if you restart
Windows, and guess what that is the GOOD news and now for the bad news.

I have just finished looking at a poc (doesn't work properly at this
time thank GOD!!)that takes this a step further.  It sits and not only
does as above; but will also check all incoming email and if it finds
and email that contains it's name it will send out one of many replies
it has as part of it's programming, that says "Yes I sent you out the
file NAVIDAD.EXE it is completely harmless and I just thought you might
enjoy it.  If however you are AFRAID!! to open it, just delete it; but
you will be missing out on one of the funniest things I have seen in
ages"

NAVIDAD.EXE is used in the above statements about the poc I have been
checking out just as an example and is NOT part of the poc I am
currently looking at.  The concept behind this IMHO is very insidious
and will most likely infect a number of people that up to this point
have been lulled into a false sense of safety by practicing safe HEX.
I am posting this as a heads up so that you can be aware of what is out
there and might be in the wild; because the
author whom sent me the poc is very close(from what I can tell checking
out the source code) to getting this to work.  If he gets this to work
flawlessly and releases it ITW(in the wild) which he tells me has been
his intention since conception till the present time, it will most
probably be VERY BAD!!

I have been trying to convince the author NOT do release it upon
completion, but up to this time have been unsuccessful.  He only
recently said I could even tell anyone.  I know some will say I
shouldn't care what he wants and that I should
always put out a warning; BUT! if I were to do that it would not take
long at all before NO ONE would send me any POC's at all; because they
would (and rightly so)
say I couldn't be trusted with there POC's.

I have been telling him that he should send it to the AV makers and
that if what he was wanting was recognition, that would garner him some
small modicum of fame.  I think what might slow down the release ITW of
new virus would be some type of online recognition at the major online
EZines and AV software web sites.  Maybe some type of monthly award to
the most significant NEW algorithm for virus and another for most
insidious and another for best new concept, well you get the idea.
Some will say this would only encourage new virus writers to start
making them; but I think it would curtail the releasing of some if not
a bunch of the newer ones.

This however would be hard to implement unless you could get some of
the major players to agree to it.  This is sort of along the lines of
my virus Olympics I have suggested here and else where; because there
would have to be some sort of SAFE place and people
in charge of testing to decide which ones would get published each month
(or week depending the number of submissions).  This would have to be a
REAL DEAL Recognition at like maybe CNN,MSNBC,PC World and ZDNet and
the likes; because these guys are nobody's fool and would
know if it was some half hearted attempt to placate them into not
releasing there code. Maybe even put the weekly and or monthly winners
into a pool to win some type of prize at the end of the year.

btw:
Before you go thinking this is some type of vaporware; just remember
all the warnings about getting a virus from just looking at either a
web page or an email in OE that has the preview pane enabled, and how
it was called the same and then think of kak,bubble boy and Melissa and
the likes


<flame resistant underwear enabled:o)>



--
                                    /}
http://www.zoomnet.net/~quick  @###{ ]::::::Dino-Soft Software::::::>
                                    \}



Sent via Deja.com
http://www.deja.com/



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH