Users can be initially infected by this worm by either browsing an infected website or reading an infected HTML email that would attempt to browse an infected website.
The infected website contains code that exploits the Microsoft "Office 2000 UA Control" Vulnerability.
This vulnerability allows websites to run Word macros silently. If macros are allowed to run a Visual Basic Script is dropped that will attempt to overwrite the files in subdirectories of all local and remote network drives.
In addition to a VBS component (detected as VBS/Davinia-A), this worm includes a JavaScript component, detected as JS/Davinia-A, and a Microsoft Word component detected as WM97/Davinia-A.