Merry Christmas Virus

The Merry Christmas virus is an email worm that started to emerge before Christmas of 2004. The worm spread via electronic mail as a small, executable file with a variety of names and extensions. The worm propagated by copying itself onto local and networked drives, as well as emailing itself as an attachment to any addresses it could harvest from the address book and files stored on the infected machine.
When executed, an infected file copies itself into the Windows system directory and registry disguised with the name “NortonUpdate.exe.” The registry entry ensures that a copy of the worm is launched each time the infected machine is booted. It also creates files in the system directory that are used to store the email addresses harvested from the Windows address book, text documents, web pages, emails and mailboxes stored on the machine.

Infected email messages are sent in a variety of languages depending on the geographical location of the recipient’s domain name. The messages arrive with the subject “Merry Christmas!” and body “Happy Holidays!” in the corresponding language. The attachment has the name “postcard” in the particular language, followed by a long string of random characters that obscure an executable extension.
The seemingly harmless text lures victims into downloading the attached file that is disguised as a holiday postcard.
Besides replicating furiously, the worm also opens a backdoor on infected systems that provides unauthorized remote access by malicious parties. This allows attackers full access to any stored personal information, along with the ability to download and launch files remotely on a victim’s machine. Furthermore, the worm bypasses installed security measures such as firewall or antivirus programs by overwriting their application files with an infected executable. Thus, while an email message may appear harmless, even one execution of an infected attachment can cause significant damage that is difficult to reverse.