This internet worm spreads via e-mail messages using MS Outlook and MS Word
The worm arrives on computer as an e-mail message in HTML format. The message subject
and body are empty, but there is a message script in Spanish, which automatically
is executed when the message is displayed. It opens a new browser window and downloads
a page from the worm’s Internet site.
The loaded page contains another script that opens a Microsoft Word document
with macros placed on the same site. To avoid a macro-virus protection warning,
the worm exploits the “Office 2000 UA Control” vulnerability, and allows the script to
disable the Micorsoft Word 2000 macro-virus protection without a user’s
confirmation. (For more information about “Office 2000 UA Control”
The macro in the Microsoft Word document automatically executes upon document opening.
It gains access to Microsoft Outlook, extracts addresses from the Outlook address
book, and sends e-mail messages to them. Sent messages are the same as aforementioned, thus, the worm itself (macro in the document) is always placed at
the same area – on the Internet site. Sent messages contain links only to this site, and in case the worm’s site becomes inaccessible, the worm can no longer
The worm has a dangerous payload routine: after sending messages, the macro
creates a system directory file in Windows named “littledavinia.vbs”, and
modifies the system registry to execute this file upon each Windows startup. The script
in this file destroys all data on all disks – it overwrites all files with
an HTML page. Upon activation, the page displays the following message:
Microsoft has released an update eliminating the “Office 2000 UA Control”
vulnerability. We strongly recommend you visit
and install this update.