Davinia is an Internet worm, that is able to spread without an
attachment. Instead, the worm attempts to connect to a web site and
download part of its code.
There were widespread warnings on this virus in January 2001, but
the virus did not spread in large scale. F-Secure has not received
any direct infection reports caused by this virus.
Once a user opens an infected HTML message, the script embedded into
message executes. The infected message open six Internet Explorer
browser windows that point to two different sites.
However, these sites have been disabled and therefore the worm is not
likely to be widely spread.
These web sites contained a code that uses a vulnerability to execute
Word 2000. It needs this to open a Word document that it downloads
from the same web site.
The document drops a Visual Basic script file "littledavinia.vbs" to
the Windows System directory and adds this to the registry in a such
way that it will be executed in the next time when the system is
restarted.
Next the macro code in the document mass mails (send) infected HTML
messages using Outlook to each recipient in each address book.
These messages does not contain subject or visible body.
Next time when the system is restarted, the script file
"littledavina.vbs" activates its payload. It searches all fixed and
network driver, including subdirectories, and attempts to overwrite
every file with a HTML file that shows the following message box when
opened:
Further information and a fix for the vulnerability that the worm uses
is available from Microsoft:
![](/images/pixel.gif"){kind=tracking}
