Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

VBS/Davinia.A

Aliases: W2000M/Davinia.A, HTML/Davinia.A

VBS/Davinia.A is a  worm consisting of three different components.  It is spread via the email client Microsoft Outlook.  It contains an HTML document spread via email, HTML pages, and a document in the format DOC for Word2000.  The worm arrives on computer as an email message in HTML format containing a script.  Opon opening the email the script opens new browser windows with a page located on http://www.terra.es/usuarios/personal2/sergill.  In the email body, in one of the HTML META tags, there is the following text:

Onel 2 virus programmer / Melilla, Espana / 25 Diciembre 2000

Opon opening this no longer existing web-page another script is run.  It opens a document with name ld.doc in the program Microsoft Word, located at the same internet address. The functioning of this worm fully depends on the existence of its related internet page.  The document which the worm opens contains a macro named littledavinia.  This macro is executed when the document is opened.  The macro creates the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\littledavinia in the system registry.  By that it ensures activation of the file littledavinia.vbs which it had created in the system directory of Windows (e.g. C:\Windows\System) and modifies the system registry to execute the file after each system restart.  After creating that  file it then sends email messages to all addresses from the Outlook address book.  Upon activation of the file littledavinia.vbs all files will be irretrievably destroyed – they will be overwritten by the HTML code which repeatedly displays the following note:

 

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.