This is a summary of Computer Virus Incident Reports  for April 2000, compiled by IPA: Information-technology Promotion Agency (President: Kengo Ishii).

Total number of reports: 476 (490 in March, 1,841 from January to April 2000.)
[341 in April 1999, 3,645 for the year 1999 (monthly average of 304), 1,245 from January to April 1999.]
[Cumulative number of reports from April 1990 to April 2000 is 13,683]

Circumstances:
Email virus stays at the top of the prevalence table. Strict anti-virus measures should be taken such as using anti-virus software when opening the attachment files. 29 kinds of virus were reported in April. Most frequently reported viruses are W32/PrettyPark with 139 reports (101 last month), followed by XM/Laroux with 93 reports (93 last month). There were 4 kinds of new viruses reported to IPA: W97M/Panther, X97M/Sugar, Wscript/KakWorm, and VBS/Tune.Email was the most common source of virus with approximately 94% of total reports, including both domestic and overseas emails, and excluding unknown cases.

(1) Email virus

W32/PrettyPark was most prevalent with 139 reports (IPA received the first report of this virus in September 1999 with 18 reports, then 31 reports in January 2000, 37 in February, and 101 in March.)

This virus spreads via email by accessing email addresses in the email client address book and sending infected messages to all of them as an email attachment. This routine is done automatically and unknowingly to the infected users, leaving them responsible for spreading viruses, so users should be very careful when dealing with these types of email viruses. If you receive an attachment file called "Prettypark.exe", please delete it immediately without executing it even if it is from people you know well. Senders of the infected emails most likely don't know that they are infected. In that case it is important to let them know that they are infected by viruses.

VBS/LOVELETTER, another kind of email virus, is found first time in May 2000. We will expect to see more email viruses in the future, so you should pay special attention when handling attachment files.

The best solution to avoid infection by email virus is, " do not execute the attachment without checking its content." Here are some steps you should take before executing the attachment:
a) Scan the file with an updated antivirus program
b) Ask sender about the contents of the attachment

For more information on VBS/LOVELETTER, please see http://www.ipa.go.jp/security/
You can see the list of email viruses and brief explanation here.

(2) Hardware damages by W32/CIH

There were 18 reports of W32/CIH which infects Windows EXE files (IPA received the first report of this virus in August 1998 with 4 reports, then 75 reports in April 1999, 17 in January 2000, 7 in February, and 13 in March.) This virus has a destructive payload: it tries to overwrite the hard disk on April 26th (one of the payload dates). A report came from an educational institute saying that their 119 PCs were infected by W32/CIH, including 89 PCs with damaged hard disks. Between April 26th and 28th this year, IPA virus emergency call center received about 20 inquiries regarding the machines damaged on April 26 or being unable to boot the machine.

The total number of CIH reports and inquiry this year is approximately 1/5 of that of 1999, but we still receive reports of damaged hardware that seems to be the result of CIH virus. This problem could have been avoided if antivirus program was properly used and files were checked before the payload dates. W32/CIH has variants that activate on June 26th or every 26th of the month. Therefore daily antivirus practice becomes very important. Maybe now is a good time to do thorough virus check and to make sure if your antivirus system works in most protective way.

For questions, please contact

Prevalence Table - April 2000

There were 29 kinds of viruses reported during April. Most frequently reported virus was W32/PrettyPark (139 reports.) 4 kinds of new viruses, W97M/Panther, X97M/Sugar, VBS/Tune and Wscript/KakWorm (marked with a "*" sign), were reported to IPA for the first time.
(Macro and Script viruses: 219 reports, Windows and DOS viruses: 257 reports)

Macro Virus		No. of report
1	XM/Laroux	93
2	W97M/Marker	31
3	W97M/Class	15
4	W97M/X97M/ P97M/Tristate	12
5	W97M/Ethan	9
6	W97M/Melissa	8
7	X97M/Divi	5
8	W97M/Pri	3
9	W97M/Thus	3
10	WM/Cap	3
11	W97M/Locale	1
12	W97M/Panther (*)	1
13	W97M/X97M/Jerk	1
14	W97M/X97M/Shiver	1
15	WM/MDMA	1
16	X97M/Sugar (*)	1
17	XM/VCX.A	1

Script virus		No. of report
18	VBS/Freelink	25
19	Wscript/KakWorm (*)	4
20	VBS/Tune (*)	1

Windows, DOS virus		No. of report
21	W32/PrettyPark	139
22	W32/Ska	76
23	W32/CIH	18
24	W32/Fix2001	12
25	AntiCMOS	5
26	Form	3
27	W32/Funlove	2
28	Parity_Boot	1
29	Empire.Monkey	1

Macintosh Virus
	-

Note)
In the "Name of Virus" column:
XM stands for ExcelMacro virus that works on MSExcel 95 and 97.
W97M stands for Word97 Macro virus that works on MSWord 97.
W97M/X97M/P97M stands for Word97Macro/Excel97Macro/PowerPoint97Macro virus which works on MSWord 97, MSExcel 97 and MSPowerpoint 97.
X97M stands for Excel97 Macro virus that works on MSExcel 97
WM stands for WordMacro virus that works on MSWord 95.
W32/ stands for virus that works under Windows32.
VBS/ stands for virus written in VisualBasicScript.
Wscript stands for virus that works under Windows Scripting Host (WSH) excluding VBS.

Computer Virus Incident Reports for April, 2000(full report)