Symantec United States
 global sites
products
purchase
service and support
security updates
downloads
about symantec
search
feedback


©1995-2008 Symantec Corporation.
All rights reserved.

Legal Notices
Privacy Policy
security updates

VBS.Davinia

Category 1
Discovered on: January 13, 2001
Last Updated on: August 09, 2006 03:09:19 PM


VBS.Davinia is an email worm that mails everyone in the Outlook address book an HTML message. This worm currently will not operate properly due to the removal of a webpage the worm attempts to access. The message has no subject line and appears blank, but contains HTML code which launches Internet Explorer to download and open a Word 2000 document. The Word 2000 document contains a macro which performs the mass mailing using Outlook and also creates a VBS (Visual Basic Script) file on the system. The VBS file is executed after restarting the computer. The VBS file finds all files on the local and mapped drives and overwrites and renames these files potentially corrupting the system.

The infectious Word 2000 document no longer exists on the web server and thus, the worm will no longer operate properly. The worm will also not work properly if one has patched a security bug in Microsoft Office 2000 products. More information regarding this security hole can be found at http://www.microsoft.com/technet/security/bulletin/ms00-034.asp

The Word 2000 document is detected as W2KM.Davinia.A
The VBS file is detected as VBS.Davinia
The overwritten files are detected as HTML.Davinia.dam
The email HTML is detected as HTML.Davinia


Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

protection
  • Virus Definitions (Intelligent Updater)

    • January 16, 2001

    threat assessment

    Wild

    Threat Metrics
    Low Low Low

    Wild:
    Low

    Damage:
    Low

    Distribution:
    Low

    technical details

    The worm arrives as an HTML email. The subject and the body appear blank. The worm can only properly operate if one is using Microsoft Outlook without the Office 2000 UA Control patch. When reading the message, the HTML code will launch Internet Explorer. Internet Explorer will download and open a Word 2000 document.

    The Word 2000 document contains a macro which creates the file

    <Windows System>/littledavinia.vbs

    and adds the registry keys

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\littledavinia = <Windows System>\littledavinia.vbs

    causing the file to be executed on the next startup.

    The macro then send an HTML email to all the users in the address book used by Outlook. These users are marked in the registry so, they are not mailed again.

    When restarting, the VBS file is executed. The VBS file modifies the start page of Internet Explorer and creates the registry key

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Davinia = littledavinia.html

    Next, the worm searches for all files on local and mapped drives and renames them from FILENAME.EXT to FILENAME.EXT.HTML and overwrites the file with HTML code. The HTML code displays the message box:



    This message box is customized depending on ones Full Name and Email Address stored by Outlook.
    The worm also creates the file

    <Window System>\littledavinia.html

    with the same code. This will be executed on the next restart.

    recommendations

    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
    • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
    • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
    • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
    • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

    removal instructions


    1. Remove registry keys:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\littledavinia = <Windows System>\littledavinia.vbs
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Davinia = littledavinia.html
    2. Delete all detected files.
    3. Replace overwritten files from backup. Customers using Norton Protected Recycle Bin will be able to recover files.


    Write-up by: JP Duan and Eric Chien