The truth about the recently discovered Internet-worm
Cambridge, UK, January 16, 2001 - Kaspersky Lab Int., an international data-security
software-development company, during the past few days, has received many requests
from customers regarding the numerous publications in mass media about the recently
discovered, extremely dangerous Internet-worm "Davinia."
"Davinia" spreads via e-mail using the popular MS Outlook e-mail
program. The worm uses a very sophisticated way of penetrating into a user's
computer. This process consists of two parts: firstly, an e-mail message is
delivered to a target computer, with this message containing a script program
that automatically opens an additional Internet Explorer window after a message
is read, and initiates a connection to the hacker's Web site. The virus contains
another script program that opens a Word document, located on the same site,
and this document contains a macro-virus that, unbeknownst to the user, switches
off the MS Word built-in anti-virus protection; so the user sees no warning
about macros in the opened documents. To do this, the virus exploits the "Office
2000 UA Control Vulnerability" discovered earlier in May 2000.
Following this, the worm gains access to MS Outlook, enumerates the e-mail
addresses from the local address book, and sends out an e-mail message with
a link to the Web site as described above to all recipients.
Therefore, the virus part of the worm is presented only on the remote Web site,
while target computers receive only a link to this site.
"Davinia" has a very destructive payload: it replaces all the files
located on all local hard disks with a file that shows the following dialogue
box when started:
"At this time, we haven't received any reports of this worm being found
'in-the-wild.' Moreover, we are quite sure that 'Davinia' poses absolutely no
threat, simply because the Web site that is used to penetrate into a user's
computer is shut down right after the worm has been discovered," said Denis
Zenkin, Head of Corporate Communications for Kaspersky Lab.
However, it is possible other modifications of the worm may appear in the very
near future, using other Web sites for their malicious purpose. Thus, we recommend
users immediately install a patch for MS Office that remedies the described
breach exploited by the "Davinia" virus. You can download the patch
for free from the Microsoft Web site here.
"However, this incident shows a very alarming trend, when virus writers
often refuse to use the commonly exploited methods of penetrating into computers
by pretending to be a very interesting and useful utility, such as the 'MTX'
or 'Navidad' worms do. Today, we see more and more malicious code exploiting
security breaches in different applications and operating systems. This makes
timely installation of security patches crucial for both home and corporate
users," added Denis Zenkin.
Protection against the "Davinia" worm already has been added to the daily update
of Kaspersky Anti-Virus (AVP).
More details about the worm are available on Kaspersky's
Kaspersky Anti-Virus (AVP) can be purchased at the Kaspersky
Lab online store.