Getting rid of the Emanuel Virus (a derivative of Navidad)

W32.Navidad.16896

Discovered on: November 28, 2000
Last Updated on: December 4, 2000 7:19:16 PM PST

W32.Navidad.16896 is a mass mailing worm program that is very similar to W32.Navidad. The worm spreads via Microsoft Outlook, using MAPI to reply to all Inbox messages that contain a single attachment.

The worm utilizes the existing email subject line and body, and attaches itself as Emanuel.exe.

To remove W32.Navidad.16896 (on a Windows 95/98 system):

  1. On the Windows taskbar, click Start > Programs > MS-DOS Prompt. The command prompt will display the current directory, which should be the Windows directory. In most cases that will be displayed as:

    C:\WINDOWS>

  2. Type ren REGEDIT.EXE REGEDIT.COM.

  3. Press Enter.

  4. Type REGEDIT.

  5. Press Enter.

  6. Modify the following Registry value:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command

    and change

    "C:\WINDOWS\SYSTEM\wintask.exe "%1" %*

    to

    "%1" %*

    For clarity, these seven characters are the following: double quote, percent sign, the numeral one, double quote, space, percent sign, and asterisk. Don't forget the space.

  7. Delete the following registry keys:

    HKEY_USERS\.DEFAULT\Software\Emanuel

    and

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32BaseServiceMOD

  8. Restart your computer.

  9. Using Windows Explorer, delete the
    \WINDOWS\SYSTEM\Wintask.exe file.

 

 

Hope this helps.

Wouldn't you love to get a hold of the mongrel(s) who creates these bloody things!!!

 

Postscript:

Check your e-mailer Outbox.

I just discovered almost 1900 messages sitting in the outbox.

Seems like it made copies of everything, and in some cases two or three copies of incoming mail.

Clean out your outbox!