Finally, the worm places a blue eye icon in the system tray of the taskbar. When the mouse pointer is over the icon, the worm displays a yellow dialog box that states:
Lo estamos mirando...
(In English: We are watching it...)
When you click the icon, a dialog box with a button appears. The button contains the following text:
Nunca presionar este boton
(In English: Never press this button)
If the user presses the button, an error box with the title
Feliz Navidad
(In English: Merry Christmas)
displays the message
Lamentablemente cayo en la tentacion y perdio su computadora
(In English: Unfortunately you've fallen to temptation and have lost your computer).
If you close the dialog box by clicking the X instead of clicking the button, the following message appears:
buena eleccion
(In English: Good selection).
and exits. Despite the warning of losing the computer, no further changes are made to the system.
Another Christmas oriented virus is W32.Music, which arrives as an e-mail with a music file attached that accesses files found in Visual Basic Runtime 5 which are preinstalled in Windows 98 systems. The worm currently does not contain a dangerous payload but has the ability to update itself via the Internet.
How It Works
W32.Music arrives as an e-mail with the following information:
To: To all my friends
From: Test Mail
Subject: Testing to send file
Body: Hi, just testing email using Merry Christmas music file, not bad music.
Attachment: Music.com., Music.zip, or Music.exe
Users who click on the attachment will infect their computers if Visual Basic Runtime 5 files are present. The worm will display a window that reads "Merry Christmas" while playing a midi file rendition of "We Wish You A Merry Christmas." The worm will also alter a user's default browser page when first accessing the Internet. Music will then attempt to connect to the Internet to download updated versions of itself. Once updated, the worm will attempt to copy itself to all e-mail addresses found in .WAB (Windows Address Book) and .DBX files. The worm also alters the system registry file.
Forget plain-text e-mail with malicious attachments. W32.BleBla (alias MyRomeo, MyJuliet, Verona) hails from Poland and automatically executes upon preveiwing or reading the infected HTML enchanced e-mail. At present, this worm does not carry a destructive payload, however it can connect to the Internet and therefore might download a new and more dangerous payload at anytime.
Previous TCS Virus Alerts: