Santa Claus leaves you a Trojan for Christmas

PandaLabs reports the appearance of a new Trojan, MerryX.A, which uses the theme of Christmas to distract users’ attention while infecting their computers. This Trojan, distributed in email messages, aims mainly at gathering information from the affected system.

Infection starts with arrival of an email with the subject “MERRY CHRISTMAS!”, and the text line: “Merry Christmas and a Happy New Year!”. This email includes two attached files: an animated GIF image called A_LIGHTSMC10.GIF, which shows the phrase “Merry Christmas” among bright lights, and a self-extracting RAR file which contains two files: a copy of the Trojan (called SQLServer.exe), and a Flash animation.

Whereas the GIF image does not infect the user’s computer, the self-extracting RAR file does trigger the infection process. As soon as the file is run, it opens the Flash file, which displays an animation accompanied by music, showing Santa Claus leaving presents in a Christmas tree against a red background, and runs the Trojan invisibly to users so that the computer becomes infected without the user realizing.

Once run, MerryX.A records information about the computer that -IP address, hardware data, etc- and sends it to a remote server. It also tries to download files from several web pages, which indicates that the Trojan could serve as an entry point for other malware specimens.

“MerryX.A is another example of malware taking advantage of the massive sending of Christmas cards during these dates”, says Luis Corrons, head of PandaLabs. “However, its actions must in no way be overlooked, as, besides serving as an entry point for other threats, theft of data from the infected computer can lead to impersonation of the attacked person’s identity, with terrible consequences”.

This is not the first time that malware creators use Christmas to spread its creations. Zafi.D, a worm that caused an Amber Alert last Christmas, tried to pass itself off as a Christmas card in several languages, and Maldal.C, which, in the same fashion as MerryX.A, made use of a Santa Claus postcard in Christmas 2003.

“Users are advised to take precautions with emails received during these dates, and only open messages from reliable sources”, warns Luis Corrons . “Unfortunately, this might not be the last Trojan of its kind that we see this Christmas, so it’s better to stay alert against this kind of seasonal threat”.

About PandaLabs

Since 1990, its mission has been to analyze new threats as rapidly as possible to keep our clients save. Several teams, each specialized in a specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc), work 24/7 to provide global coverage. To achieve this, they also have the support of TruPreventâ„? Technologies, which act as a global early-warning system made up of strategically distributed sensors to neutralize new threats and send them to PandaLabs for in-depth analysis. According to, PandaLabs is currently the fastest laboratory in the industry in providing complete updates to users (more info at

Don't miss