Lumbering viruses infect PCs worldwide

Neither Hybris nor Navidad are considered dangerous, but the slow-spreading viruses are a nuisance nevertheless

Two new computer viruses are making a nuisance of themselves this week. Navidad, which has arrived just in time for the holiday season, first made the rounds Friday but Tuesday was described as a high risk by the US Army.

The other, Hybris, is regarded as a low risk by most antivirus firms. But it has sent spam to the virus research newsgroup, garnering attention from antivirus researchers.

Both viruses infect users the most common way -- by tricking them into opening an attachment. Navidad was first discovered on 3 November, but infection reports started trickling in late last week. On Friday, McAfee raised Navidad's risk rating to "medium on watch" because of the number of infections.

A spokesperson for McAfee said Tuesday that only a few infections had been reported by corporations since Monday, but added that the US Army had just raised its risk assessment to "high", probably because it has experienced several infections.

"This seems to be a virus that slowly but methodically made its way around," said Mary Landesman, product marketing manager for computer security firm InDefense. "It will be a virus that maintains a steady presence. But the spread isn't happening fast enough to create a big media response."

Patrick Martin, program manager of Symantec's AntiVirus Research Centre, says his firm has received several hundred submissions of the virus from clients in the past few days. Because the spreading mechanism is slow, the virus hasn't made its way around the Internet as fast as the Melissa virus or the "Love Bug". But infections have continued to arrive at a slow, steady rate.

"I think of it as a tank as opposed to a rocket," he said. Navidad only impacts computers running Microsoft Windows and Outlook, but it can infect any flavour of Windows.

Because the virus alters a PC's registry, it can prevent victims from running any software on their PC.

The virus arrives at its victim's computer masquerading as a reply to a message the victim has sent.

Navidad arrives with a familiar subject line and a single attachment "Navidad.exe". After infection, the worm scours the victim's inbox and replies to all messages with a single attachment, utilising the existing subject line but substituting the infected "Navidad.exe" attachment.

The program itself places an icon on the victim's computer. If the user clicks on it, then clicks on a button, the message "Feliz Navidad", which means "Merry Christmas" in Spanish, appears.

Navidad is not the only seasonal virus recently discovered. McAfee today reported finding "W32/Music", which after infection displays a window titled "Merry Christmas" and plays a rendition of "We Wish You A Merry Christmas". The program arrives with the subject line "Testing to send file", and the body of the message says: "Hi, just testing email using Merry Christmas music file, not bad music." The attachment is called

McAfee rates this bug a low risk because few infections have been found.

Hybris was first discovered in September and was determined to be a low-risk by antivirus researchers. But Moscow-based Kaspersky Lab announced Monday that it recently had seen a dramatic uptick in Hybris infection reports, saying the bug was "particularly active in Latin America although infections by this virus have also been found in Europe". The lab also claims there are now five variations of the bug.

Martin says Symantec has received about 100 submissions of the bug in recent weeks, and an increasing number of submissions over the past few days.

The virus is interesting because it can be updated using plug-in technology like that which is used by many Web browsers. Plug-ins can be added to software to increase functionality.

When Hybris infects a machine, it uses the alt.comp.virus newsgroup as a sort of central repository for plug-in code. Infected machines send the binary code for their plug-ins to the newsgroup, then scour the newsgroup for any new plug-ins. About 250 such messages were visible in the newsgroup Tuesday during an MSNBC review. Landesman said she was able to find about 2,000 similar messages.

"One could argue that the worm's payload is spamming alt.comp.virus," Landesman said.

Hybris arrives with random subject lines, content, and attachment names. In one sample received by Kaspersky, the note arrived from "" with a subject line "Snowhite and the seven Dwarfs -- The REAL Story!" The attachment was named "dwarf4you.exe". Despite this stealth, other antivirus firms still rate the bug a low risk because of a small infection rate.

"We've only gotten about a dozen calls on it so far," said a spokesperson for antivirus firm F-Secure. "It's a lower-than-medium-level worry. We're trying not to blow the whistle loud on this one."

Take me to the Virus Workshop

Take me to ZDNet Enterprise

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.