This month, we cover two worms that have spread rapidly through e-mail, and vulnerabilities and incompatibilities in Windows Me and Windows 2000.

Widespread worms

W32.Prolin.Worm
Also known as Troj_Shockwave.A, Creative, and Troj_Prolin.A, this worm spreads through Microsoft Outlook, and affects Win 9x and NT systems. It e-mails itself to everyone in the Outlook address book. The subject of the e-mail is "A great Shockwave Flash movie", and the worm is sent with this by way of an attachment called Creative.exe. The message says, "Check out this new Flash movie that I downloaded just now…It’s great Bye."

After this, the worm sends an e-mail to a Yahoo! mail account. The subject line is "Job complete", and the message says, "Got yet another idiot".

The worm gets executed when you double click the attachment. After e-mailing itself and sending the above message, it creates a copy of itself, named Creative.exe, in C:\Windows\Start menu\Programs\Startup, if C:\Windows in your default Windows directory. So, the worm is executed every time you start the computer and load Windows.

It then moves all your JPG, MP3, and ZIP files in the root directory, and renames them by appending "change at least now to Linux" to their file extension. It also drops a file called messageforu.txt in the root directory, which contains a message signed by "The Penguin" and a list of all the files moved by the worm. This list also gives you the complete pathnames of the files before they were moved.

To remove the worm, scan your system with an updated version of your anti-virus software, and delete all files that contain the worm’s name. Use the list in the messageforu.txt file to restore the original extensions of all files moved by the worm.

W32.Navidad
This worm spreads itself by using any MAPI-compliant e-mail client, including Microsoft Outlook, but e-mail messages sent by the worm can be received by any client. Navidad makes your system unusable by improperly changing some registry keys. Systems at risk are Win 9x/NT/2000.

The worm arrives as an e-mail attachment called Navidad.exe. When you execute the attachment, a dialog box titled ‘Error’ will appear with the message "UI". When you click OK, a blue eye icon appears in your systray and a copy of the worm is saved to the file winsvrc.vxd in the Windows System directory.

When your mouse pointer is on the icon, it displays a dialog box with the message, "We’re watching it". Clicking the icon displays a dialog box with a button. The text on the button says, "Never press this button". If you press it, an error box titled "Merry Christmas" appears with a message that tells you that you’ve lost your computer. However, this is just a hoax. To terminate the worm, you can close the dialog box by pressing the ‘X’ instead of clicking the button. The message "Good selection" will appear, click OK. This will make the worm exit—the eye icon will disappear, and the program will terminate.

The worm also creates the following registry keys:

If you’re running Win 9x (and your Windows directory is C:\Windows):

HKEY_USERS\DEFAULT\Software\ Navidad

HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\
Run\Win32BaseServiceMOD=C:\
WINDOWS\SYSTEM\winsvrc.exe

It also changes the value of two other registry keys.

If you’re running Win NT/2000 (and your Windows directory is C:\WINNT):

HKEY_CURRENT_USER\Software\ Navidad

HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion
\Run\Win32BaseServiceMO
D=C:\WINNT\System32\winsvrc.exe

Again, it changes the value of two other registry keys.

After this, it begins to mail itself to other people using your MAPI-compliant mail client. It checks all the messages in your inbox and replies to those that have one attachment. The reply has the same subject and body text, but has an attachment called Navidad.exe, which contains the worm. You won’t be able to exit your mail client or shut down your computer, except by switching it off manually.

Because of the registry keys created and modified, you’ll see an error message whenever you try to launch an EXE file. The system will prompt you to locate a file called Winsvrc.exe, and you won’t be able to launch any programs.

If you’ve been infected, you can restore your system by opening MS-DOS Prompt, going into the Windows directory, and copying regedit.exe as regedit. com, so that you can open it on your system. You can then run regedit from the Start menu and make the appropriate changes in your registry to undo the damage. More details on this procedure are available at: www. symantec.com/avcenter/venc/data/w32. navidad.html