What's So Special About "Davinia"?

15 Jan 2001
Virus News

The truth about the recently discovered Internet-worm

Cambridge, UK, January 16, 2001 - Kaspersky Lab Int., an international data-security software-development company, during the past few days, has received many requests from customers regarding the numerous publications in mass media about the recently discovered, extremely dangerous Internet-worm "Davinia."

"Davinia" spreads via e-mail using the popular MS Outlook e-mail program. The worm uses a very sophisticated way of penetrating into a user's computer. This process consists of two parts: firstly, an e-mail message is delivered to a target computer, with this message containing a script program that automatically opens an additional Internet Explorer window after a message is read, and initiates a connection to the hacker's Web site. The virus contains another script program that opens a Word document, located on the same site, and this document contains a macro-virus that, unbeknownst to the user, switches off the MS Word built-in anti-virus protection; so the user sees no warning about macros in the opened documents. To do this, the virus exploits the "Office 2000 UA Control Vulnerability" discovered earlier in May 2000.

Following this, the worm gains access to MS Outlook, enumerates the e-mail addresses from the local address book, and sends out an e-mail message with a link to the Web site as described above to all recipients.

Therefore, the virus part of the worm is presented only on the remote Web site, while target computers receive only a link to this site.

"Davinia" has a very destructive payload: it replaces all the files located on all local hard disks with a file that shows the following dialogue box when started:

"At this time, we haven't received any reports of this worm being found 'in-the-wild.' Moreover, we are quite sure that 'Davinia' poses absolutely no threat, simply because the Web site that is used to penetrate into a user's computer is shut down right after the worm has been discovered," said Denis Zenkin, Head of Corporate Communications for Kaspersky Lab.

However, it is possible other modifications of the worm may appear in the very near future, using other Web sites for their malicious purpose. Thus, we recommend users immediately install a patch for MS Office that remedies the described breach exploited by the "Davinia" virus. You can download the patch for free from the Microsoft Web site here.

"However, this incident shows a very alarming trend, when virus writers often refuse to use the commonly exploited methods of penetrating into computers by pretending to be a very interesting and useful utility, such as the 'MTX' or 'Navidad' worms do. Today, we see more and more malicious code exploiting security breaches in different applications and operating systems. This makes timely installation of security patches crucial for both home and corporate users," added Denis Zenkin.

Protection against the "Davinia" worm already has been added to the daily update of Kaspersky Anti-Virus (AVP).

More details about the worm are available on Kaspersky's Virus Encylopedia.

Kaspersky Anti-Virus (AVP) can be purchased at the Kaspersky Lab online store.