ARCHIVED: What is the Navidad email worm, and how do I get rid of it?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

The Navidad (navidad.exe) worm is an executable file sent as an email attachment. The worm replies to messages, and therefore the subject of the message will usually match one that the recipient has previously sent.

If you run this program, the worm displays an Error dialog box with the text "UI". If you click the OK button in this dialog box, the worm sends itself by replying to each message in the Inbox, placing Navidad.exe in the message body. The worm installs itself into the system tray as a blue eye icon, and then copies itself into the Windows and Windows system directories with the filenames winsvrc.vxd and winsvrc.exe, making changes to the registry so that it executes upon startup.

If you execute this program, you will be unable to launch other applications and will receive the error message, "Windows cannot find winsvrc.exe".

To manually remove the worm from your computer, you will need to remove the registry keys created by the worm. For instructions on dealing with, and more information about this worm, click N and then Navidad on the Computer Associates Virus Encyclopedia page at: 

  http://www3.ca.com/threatinfo/virusinfo/browse.aspx

You may also wish to consult the Symantec Security Response site for information and fixes. Search on navidad at the following URL: 

  http://securityresponse.symantec.com/avcenter/vinfodb.html

This is document ajbs in the Knowledge Base.
Last modified on 2018-01-18 13:05:41.