聖誕節病毒Navidad解毒工具

[訪客]

◎W32.Navidad Fix Tool <br> This tool repairs damage done by the W32.Navidad worm. Please click here for manual removal instructions. <br> <br> To use the tool, first download the <a href="http://www.symantec.com/avcenter/fixnav ... vid.com</a> file and save it to the Windows Desktop. This file can be saved to an alternate folder; and if an alternate folder is used you will need to launch this program from that folder rather than the desktop folder. If the file has been saved to the Windows Desktop folder an icon for this program will appear on your desktop. Please note that this program has a ".com" extension and not a ".exe" extension. It is important that this extension be preserved. After the file finishes downloading launch the program by double-clicking on the fixnavid icon that appears on the desktop. If you saved this program to an alternate folder you will need to open the appropriate folder via the "My Computer" window and launch the program from that alternate folder.

What the tool does <br> <br> After running the W32.Navidad Fix Tool, you will be able to launch programs just as your were able before W32.Navidad infected your computer. <br>

The following registry keys are removed: <br> <br> The value Win32BaseServiceMOD is removed from the following key <br> <br> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ <br> Windows\CurrentVersion\Run <br>

HKEY_USERS\DEFAULT\Software\Navidad on Windows 95 and Windows 98 systems. <br>

HKEY_CURRENT_USER\Software\Navidad on Windows NT and Windows 2000 systems. <br>

The value of <br> <br> HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\ <br> exefile\shell\open\command <br> <br> is restored to <br> "%1" %*" <br> <br> on Windows 95 and WIndows 98 systems. <br> <br> The value of <br> <br> HKEY_CLASSES_ROOT\exefile\shell\ <br> open\command <br> <br> is restored to <br> "%1" %*" <br> <br> on windows NT and Windows 2000 systems. <br>

The file winsvrc.vxd is removed from the Windows system directory. <br> http://www.symantec.com/avcenter/venc/d ... d.fix.html <br> <br> ◎手動移除 <br> To remove W32.Navidad (on a Windows 95/98 system):

On the Windows taskbar, click Start > Programs > MS-DOS Prompt. The command prompt will display the current directory, which should be the Windows directory. In most cases that will be displayed as: <br> C:\WINDOWS>

<br> Type ren REGEDIT.EXE REGEDIT.COM. <br> Press Enter. <br> Type REGEDIT. <br> Press Enter. <br> Modify the following Registry value: <br> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ <br> exefile\shell\open\command

and change

"C:\WINDOWS\SYSTEM\winsvrc.vxd "%1" %*

to

"%1" %*

For clarity, these seven characters are the following: double quote, percent sign, the numeral one, double quote, space, percent sign, and asterisk. Don't forget the space.

<br> Delete the registry key: <br> HKEY_USERS\.DEFAULT\Software\Navidad

<br> Restart your computer. <br> Using Windows Explorer, delete the \WINDOWS\SYSTEM\winsvrc.vxd file. <br> To remove W32.Navidad (on a Windows NT / Windows 2000 system):

On your Windows Desktop, double-click on your My Computer icon. <br> Press CTRL-F. A Find: All Files window should pop up. This will allow you to search for a specific file. <br> In the Named: field, type REGEDIT.EXE. <br> After it finds this file successfully, right-click on the filename REGEDIT.EXE. This will pop up a menu. Select Rename. <br> Type: REGEDIT.COM. This should rename the file to REGEDIT.COM. <br> Double-click on this program REGEDIT.COM. <br> Modify the following Registry value: <br> HKEY_CLASSES_ROOT\exefile\shell\ <br> open\command

and change

"C:\WINNT\SYSTEM32\winsvrc.vxd "%1" %*

to

"%1" %*

For clarity, these seven characters are the following: double quote, percent sign, the numeral one, double quote, space, percent sign, and asterisk. Don't forget the space.

<br> Delete the registry key: <br> HKEY_CURRENT_USER\Software\Navidad

<br> Restart your computer. <br> Using Windows Explorer, delete the \WINNT\SYSTEM32\winsvrc.vxd file. <br> <br> 4級電腦病蟲： W32.Navidad聖誕節病蟲

台灣賽門鐵克呼籲 切勿開啟附件為 Navidad.exe的執行檔 <br> 用戶可至賽門鐵克網站下載最新病毒定義檔及修復程式

電腦病蟲名稱：W32.Navidad 聖誕節病蟲

病蟲危害指數：4級

聖誕節還沒到，卻有一隻以西班牙文聖誕節（Navidad）為名的病蟲，在全球各地散布開來。根據賽門鐵克防毒研究中心（SARC）表示，這隻W32.Navidad聖誕節病蟲危險程度高達4級，以email為散布途徑，並將郵件附件自動變更為Navidad.exe，開啟Navidad.exe檔，會造成電腦系統無法啟動，所有應用程式無法執行。這隻病毒目前已在西班牙語系國家快速散布，台灣尚未傳出嚴重病情，但是賽門鐵克呼籲用戶，小心所有有附件的郵件，無論郵件主旨為何，不要開啟任何名為Navidad.exe的執行檔。賽門鐵克已有病毒定義檔可供下載，已經中毒的用戶也可上網下載修復工具：www.sarc.com

病蟲特徵： <br> 這隻病蟲一旦被開啟執行之後，便會自動複製原有郵件的email主旨，並將收件匣中所有郵件的附件都自動變更為NAVIDAD.exe檔，再自動回覆給郵件的寄件者。因此用戶收到的傳染信件中會有不同主旨的郵件，但附件都會是相同的NAVIDAD.EXE檔。一旦執行了NAVIDAD.EXE檔，電腦便會出現一連串的西班牙文，將電腦系統破壞。另外，此一病蟲會在系統中植入一名為winsvrc.exe的檔案，並且令所有Windows的執行檔在執行時都會呼叫此一程式。

病蟲造成的影響： <br> 這隻病蟲會造成中毒者電腦的系統無法啟動，所有的應用程式都會無法執行。

根據賽門鐵克SARC防毒研究中心的電腦病蟲危害指數，Navidad聖誕節病蟲目前被歸為第4級（賽門鐵克SARC病毒研究中心的病蟲危害指數共有5級，第5級為最嚴重），全球目前已有超過1000台電腦，超過10家公司行號/機構中毒。

台灣賽門鐵克的建議及修復方法：

賽門鐵克11月7日即已發現病蟲並提供病毒定義檔下載，因此有定期更新病毒定義檔的用戶無須擔心；用戶若要自行檢查是否已經中毒，可以在電腦中搜尋是否有winsvrc.exe的執行檔，如果有，則表示電腦已經中毒，台灣賽門鐵克建議用戶，可以上賽門鐵克防毒研究中心網站www.sarc.com，下載W32.Navidad Fix Tool修復程式，即可修復受損的系統。一旦執行了修復工具之後，所有電腦系統與程式皆可以正常運作。

台灣賽門鐵克會持續提供您最新消息外，讀者請至下列網站參考更多訊息： <br> http://www.symantec.com/avcenter/venc/d ... vidad.html <br> <!--Edit-->

<font size=1 color="#000080">[此文章於 11-14-2000 09:11 PM 被 ASKA 編輯過]</font><br><!--EditEnd-->

[訪客]

公司中毒的不少... <img src="http://www.dearhoney.idv.tw/UBB/NonCGI/icons/eh.gif" width=15 height=22>

[訪客]

這個病毒的確厲害, 幸好我反應快, 一看到system tray多了一個icon馬上關機, 但公司同事還是有人不幸中了毒... 昨天就有一半的時間耗在這裡.

寫病毒的人真是可惡透頂. <img src="http://www.dearhoney.idv.tw/UBB/NonCGI/icons/frown.gif" width=15 height=15>