Email-Worm.VBS.Davinia

Class Email-Worm
Platform VBS
Description

Technical Details

This internet worm spreads via e-mail messages using MS Outlook and MS Word
2000.

The worm arrives on computer as an e-mail message in HTML format. The message subject
and body are empty, but there is a message script in Spanish, which automatically
is executed when the message is displayed. It opens a new browser window and downloads
a page from the worm’s Internet site.

The loaded page contains another script that opens a Microsoft Word document
with macros placed on the same site. To avoid a macro-virus protection warning,
the worm exploits the “Office 2000 UA Control” vulnerability, and allows the script to
disable the Micorsoft Word 2000 macro-virus protection without a user’s
confirmation. (For more information about “Office 2000 UA Control”
vulnerability see:
http://www.microsoft.com/technet/security/bulletin/ms00-034.asp)

The macro in the Microsoft Word document automatically executes upon document opening.
It gains access to Microsoft Outlook, extracts addresses from the Outlook address
book, and sends e-mail messages to them. Sent messages are the same as aforementioned, thus, the worm itself (macro in the document) is always placed at
the same area – on the Internet site. Sent messages contain links only to this site, and in case the worm’s site becomes inaccessible, the worm can no longer
spread.

The worm has a dangerous payload routine: after sending messages, the macro
creates a system directory file in Windows named “littledavinia.vbs”, and
modifies the system registry to execute this file upon each Windows startup. The script
in this file destroys all data on all disks – it overwrites all files with
an HTML page. Upon activation, the page displays the following message:

VBScript: Onel2 - Melilla
Hola, tu nombre es [��� ������������].
Tu email es [email-����� ������������].
Yo soy Onel2, y vivo en Melilla
una ciudad del norte de Africa.
Estoy enamorado de una chica llamada Davinia.
Ella es la mas guapa del mundo.
Es como una diosa.
Igual que yo me contagie de amor
de Davinia, tus archivos se van a
contagiar de amor de esta pagina
Davinia(chica) y Davinia(virus) rompen corazones y archivos.
littledavinia version 1.1 esta en camino... 

 [Abort] [Retry] [Ignore]

Microsoft has released an update eliminating the “Office 2000 UA Control”
vulnerability. We strongly recommend you visit
http://officeupdate.microsoft.com/2000/downloadDetails/Uactlsec.htm
and install this update.