Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

VBS.Davinia

VBS.Davinia

Discovered:
13 January 2001
Updated:
13 February 2007
Systems Affected:
Windows


VBS.Davinia is an email worm that mails everyone in the Outlook address book an HTML message. This worm currently will not operate properly due to the removal of a webpage the worm attempts to access. The message has no subject line and appears blank, but contains HTML code which launches Internet Explorer to download and open a Word 2000 document. The Word 2000 document contains a macro which performs the mass mailing using Outlook and also creates a VBS (Visual Basic Script) file on the system. The VBS file is executed after restarting the computer. The VBS file finds all files on the local and mapped drives and overwrites and renames these files potentially corrupting the system.

The infectious Word 2000 document no longer exists on the web server and thus, the worm will no longer operate properly. The worm will also not work properly if one has patched a security bug in Microsoft Office 2000 products. More information regarding this security hole can be found at http://www.microsoft.com/technet/security/bulletin/ms00-034.asp

The Word 2000 document is detected as W2KM.Davinia.A
The VBS file is detected as VBS.Davinia
The overwritten files are detected as HTML.Davinia.dam
The email HTML is detected as HTML.Davinia

Antivirus Protection Dates

  • Initial Rapid Release version 16 January 2001
  • Latest Rapid Release version 23 March 2017 revision 037
  • Initial Daily Certified version 16 January 2001
  • Latest Daily Certified version 23 March 2017 revision 041
  • Initial Weekly Certified release date pending
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.


The worm arrives as an HTML email. The subject and the body appear blank. The worm can only properly operate if one is using Microsoft Outlook without the Office 2000 UA Control patch. When reading the message, the HTML code will launch Internet Explorer. Internet Explorer will download and open a Word 2000 document.

The Word 2000 document contains a macro which creates the file

<Windows System>/littledavinia.vbs

and adds the registry keys

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\littledavinia = <Windows System>\littledavinia.vbs

causing the file to be executed on the next startup.

The macro then send an HTML email to all the users in the address book used by Outlook. These users are marked in the registry so, they are not mailed again.

When restarting, the VBS file is executed. The VBS file modifies the start page of Internet Explorer and creates the registry key

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Davinia = littledavinia.html

Next, the worm searches for all files on local and mapped drives and renames them from FILENAME.EXT to FILENAME.EXT.HTML and overwrites the file with HTML code. The HTML code displays the message box:



This message box is customized depending on ones Full Name and Email Address stored by Outlook.
The worm also creates the file

<Window System>\littledavinia.html

with the same code. This will be executed on the next restart.



1. Remove registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\littledavinia = <Windows System>\littledavinia.vbs
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Davinia = littledavinia.html
2. Delete all detected files.
3. Replace overwritten files from backup. Customers using Norton Protected Recycle Bin will be able to recover files.

Writeup By: JP Duan