Threat Descriptions

LittleDivina

Classification

Category :

Malware

Type :

-

Platform :

-

Aliases :

LittleDivina

Summary

LittleDivina is an Internet worm, that is able to spread without an attachment. Instead, the worm attempts to connect to a web site and download part of its code.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Variant:LittleDivina.A

Once a user opens an infected HTML message, the script embedded into message executes. The infected message open six Internet Explorer browser windows that point to two different sites.

However, these sites have been disabled and therefore the worm is not likely to be widely spread.

These web sites contained a code that uses a vulnerability to execute Word 2000. It needs this to open a Word document that it downloads from the same web site.

The document drops a Visual Basic script file "littledivina.vbs" to the Windows System directory and adds this to the registry in a such way that it will be executed in the next time when the system is restarted.

Next the macro code in the document mass mails (send) infected HTML messages using Outlook to each recipient in each address book.

These messages does not contain subject or visible body.

Next time when the system is restarted, the script file "littledavina.vbs" activates its payload. It searches all fixed and network driver, including subdirectories, and attempts to overwrite every file with a HTML file that shows the following message box when opened:

Further information and a fix for the vulnerability that the worm uses is available from Microsoft:

https://www.microsoft.com/technet/security/bulletin/ms00-034.asp