Computer Virus Incident Reports

This is a summary of Computer Virus Incident Reports for July 2000, compiled by IPA: Information-technology Promotion Agency (President: Shigeo Muraoka).

(1) Drastic increase of VBS/Stages reports
VBS/Stages, which was first reported in June, increased rapidly from 11 reports last month to 246 this month. VBS/Stages is a VBS (Visual Basic Script) virus that spreads via email. This virus comes in as an attachment file with .SHS (the scrap object) extension but this extension does not appear in Windows system even if it is set to show all file extensions. VBS/Stages uses MS Outlook to send itself as an attachment to addresses registered in the address book. You should be careful with emails with attachment sent from someone you know. Do not open the attachment files carelessly.

More information on VBS/Stages is available at http://www.ipa.go.jp/security/topics/vbs-stages_alert.html. Information on all viruses reported to IPA is available at IPA virus data base: http://www.ipa.go.jp/cgi-bin/security/virus/search/(Japanese)

(2) Growing number of Email virus; Highest number of annual reports; Decrease in number of actual infection
Cumulative number of reports from January to July 2000 (3,990) has exceeded the number of total reports for the year 1999 (3,645) and continues to set another highest record for the year 2000. However, the number of actual damage reports caused by infection is decreasing by more than 50% (cumulative number from January to July is 690 in 2000 and 1417 in 1999.) There is a remarkable growth in the number of email virus. As a source of virus, email (both domestic and international) is increasing with 40.6% in 1998, 67.0% in 1999 and 86.0% in first half of 2000. This type of virus abuses the email system and propagates very quickly and widely. You should take enough caution when opening the attached files to prevent infection. Please refer to "the list of 5 instructions when opening attachment files" at http://www.ipa.go.jp/security/english/virus/press/200007/E_attach52.html.

(3) Unsafe web sites
Recently IPA often receives queries about web sites that display virus-like messages or about strange programs that act like virus. The following describes some typical examples:

1) When a user visited a site, the message was displayed on the screen; "Your machine is infected by virus." "You need to execute this program to restore your machine." The user downloaded the program and executed it, and the machine had been malfunctioning since then.

2) A user received an email with signature from a friend. Upon clicking an URL contained in the signature part, it automatically started downloading and saving an unknown file in the directory. After executing this file, an URL of a specific web site is added in the user's signature of all outgoing emails.

For questions, please contact:
Office of Computer Virus Countermeasures (OCVC)
Information-technology Promotion Agency
TEL: (03) 5978-7508 FAX: (03) 5978-7518 E-mail: isec-info@ipa.go.jp

Computer Virus Incident Reporting Program

The Ministry of International Trade and Industry announced "Computer Virus Prevention Guidelines" to prevent the spread of computer viruses in Japan. IPA was designated to receive the "Computer Virus Damage Report" directly from the infected users to investigate virus problem and to provide monthly statistics. This reporting system started in April 1990. Anyone who has encountered computer virus is supposed to send a virus report with necessary information to IPA to prevent further spread and damage of viruses.

IPA deals with each reporter (user) on an individual basis as a consultant, and also works as a public research institute for antivirus measures by analyzing problems showed on the damage report. Taking reporters' privacy into full consideration, IPA periodically publishes the result of their research and analysis on computer virus incident.

Computer Virus Prevention Guidelines:
- Enactment on April 10, 1990 (release No.139)
- Amendment on July 7, 1995 (release No. 429)
- Amendment on September 24, 1997 (release No. 535)

There were 38 kinds of viruses reported during July. Most frequently reported viruses were VBS/Stages (246) and XM/Laroux (66). 4 kinds of new viruses, W97M/Smac, W97M/Proverb, W97M/Claud and W97M/JulyKiller (marked with a "*" sign) were reported to IPA for the first time. (Macro and Script viruses: 593 reports, Windows and DOS viruses: 107 reports)

Note) The abbreviation used in the "Name of Virus" are as follows:
XM and XF: ExcelMacro and ExcelFormula virus that works on MSExcel 95 and 97.
W97M: Word97 Macro virus that works on MSWord 97.
W97M/X97M/P97M: Word97Macro/Excel97Macro/PowerPoint97Macro virus which works on MSWord 97, MSExcel 97 and MSPowerpoint 97.
X97M: Excel97 Macro virus that works on MSExcel 97
WM: WordMacro virus that works on MSWord 95.
W32: virus that works under Windows32.
VBS: virus written in VisualBasicScript.
Wscript: virus that works under Windows Scripting Host (WSH) excluding VBS.

Computer Virus Incident Reports for July, 2000(full report)

Macro Virus	No. of report	Script virus	No. of report
XM/Laroux	66	VBS/Stages	246
W97M/Marker	29	Wscript/Kakworm	57
W97M/X97M/P97M/Tristate	25	VBS/LOVELETTER	55
X97M/Divi	17	VBS/Netlog	1
W97M/Ethan	16
W97M/Smac (*)	15
XM/VCX.A	10	Windows, DOS virus	No. of report
W97M/Class	8	Windows, DOS virus	No. of report
W97M/Proverb (*)	7	W32/Ska	48
W97M/Thus	7	W32/PrettyPark	31
W97M/Myna	6	AntiCMOS	17
WM/Cap	5	Cascade	3
W97M/Melissa	4	NYB	2
W97M/Chack	3	W32/Fix2001	2
W97M/Claud (*)	3	Form	1
W97M/Opey	2	W32/CIH	1
W97M/Pri	2	Stoned	1
W97M/Taro	2
XF/Sic	2
W97M/JulyKiller (*)	1
W97M/Panther	1	Macintosh Virus	No. of report
W97M/Story	1	Macintosh Virus	No. of report
W97M/Verlor	1	Autostart9805	1
W97M/Walker	1