November 9, 2000
Information-technology Promotion Agency
Computer Virus Incident Reports
1. Computer Virus Incident Reports of October, 2000
This is a summary of Computer Virus Incident Reports of October 2000, compiled by IPA: Information-technology Promotion Agency (President: Shigeo Muraoka).
Total number of incident reports was record high of 906 (676 last month: 6,128 from January to October 2000.)
[405 in October 1999, 3,645 in the year 1999 (monthly average of 304), 3,188 from January to October 1999.]
[Cumulative number of reports from April 1990 to October 2000 is 17,970]
Circumstances:
906, this month's number of incidents, is the highest record. As for reporting body, the reports from individual user suddenly increased to 11% of the total. Email was the most common source of virus with approximately 94% of the total. 44 kinds of virus were reported in October. 4 kinds of new viruses were reported: W32/Kriz, VBS/NewLove, W97M/Titch, and W97M/Turn.
2. Release notes for October
(1) Highest record of virus incidents this month, worse than VBS/LOVELETTER
906 became the worst record in the past, followed by 900 in May 2000 when VBS/LOVELETTER
caused many damage. Besides, the actual
infection reports show 30% of the total (it
was 13% last month) and the damage is becoming
more serious.
(2) The drastic increase of "W32/MTX" infection that destroys PC
W32/MTX is widely spreading. This virus
uses attached files with 31 different names
and destroys PC upon execution. Among the
names of attachment files, those of known
virus (such as LOVELETTER Virus) are included
and it is very confusing (see the list of attachment files).
W32/MTX was reported last month for the first time, and there were already 223 reports this month. The report of actual infection was 111, almost half of the total report which is very high infection rate. W32/MTX propagates by sending out a copy of itself to whoever the infected user sends an email to as the second mail. When the receivers see this second mail from the same sender, they automatically open the infected attachment without a doubt. Because of that this virus easily spreads among friends and acquaintances. Once infected, you should format the hard disk and reinstall Windows to make sure the complete recovery and disinfection of this virus. Therefore the damage caused by W32/MTX is very serious.
Information on new virus "W32/MTX"
http://www.ipa.go.jp/security/topics/mtx.html (Japanese)
(3) Be careful about "W32/QAZ" that may lead to unauthorized access
Reportedly, W32/QAZ was used in Microsoft
hacking incident. The number of this virus
is suddenly increasing and you should take
enough caution. This is a Trojan Horse that
has backdoor capabilities such as stealing
IP addresses and making remote access possible.
This doesn't have automatic email-sending
function, but people with malicious intention
will attach this trojan as an attached file
and send them intentionally. You should
not open the attachment file sent from unknown
people. There was 1 report of W32/QAZ first
time in the last month, but this month we
received 34 reports.
Be careful about W32/QAZ that is reportedly used in the hacking incident.
http://www.ipa.go.jp/security/topics/qaz.html (Japanese)
3. Special announcement for this month
Providing is preventing: use "Anti-virus Check List" to avoid infection
Among inquiries from infected uses, we found
that a great number of users don't know the
very basics of how to use the anti-virus
program. They don't know whether the anti-virus
software is installed or not in their own
PCs, they don't realize the importance of
updating the program, or they don't know
hot to use the anti-virus program.
To have virus free PC life, we made the "Anti-virus
Check List" that describes the fundamental
items that the users should know. It is
important to take necessary steps and realize
what you need to avoid virus infections.
Anti-virus Check List
http://www.ipa.go.jp/security/virus/beginner/check/check1.html(Japanese)
For questions, please contact:
Office of Computer Virus Countermeasures
(OCVC)
Information-technology Promotion Agency
TEL: (03) 5978-7508
FAX: (03) 5978-7518
E-mail:
isec-info@ipa.go.jp
Virus Emergency Call: (03) 5978-7509
URL: http://www.ipa.go.jp/security/
Prevalence Table - October 2000
There were 44 kinds of viruses reported during October. Frequently reported viruses were W32/MTX (223 reports) and VBS/LOVELETTER (128 reports). 4 kinds of new viruses, W32/Kriz, VBS/NewLove, W97M/Titch, and W97M/Turn (marked with a "*" sign) were reported to IPA for the first time (Macro and Script viruses: 543 reports, Windows and DOS viruses: 370 reports, Mac virus: 1 report). Some reports contain multiple infection, therefore the sum total doesn't match with 906 (total number of October report).
|
Macro Virus |
No. of report |
Macro Virus |
No. of report |
|
X97M/Divi |
111 |
W97M/X97M/Shiver |
1 |
|
XM/Laroux |
60 |
WM/Wazzu |
1 |
|
W97M/X97M/P97M/Tristate |
32 |
X97M/Sugar |
1 |
|
X97M/Barisada.da |
29 |
Script virus |
|
|
W97M/Marker |
19 |
VBS/LOVELETTER |
128 |
|
W97M/Ethan |
13 |
Wscript/Kakworm |
50 |
|
W97M/Class |
10 |
VBS/Stages |
18 |
|
W97M/Melissa |
9 |
VBS/Netlog |
7 |
|
XM/VCX.A |
8 |
VBS/NewLove (*) |
1 |
|
W97M/Pri |
7 |
Windows, DOS virus |
|
|
WM/Cap |
6 |
W32/MTX |
223 |
|
W97M/Myna |
5 |
W32/Ska |
40 |
|
W97M/Thus |
5 |
W32/QAZ |
34 |
|
W97M/Smac |
4 |
W32/Funlove |
27 |
|
W97M/Verlor |
4 |
W32/PrettyPark |
24 |
|
W97M/Vmpck1 |
3 |
W32/Kriz(*) |
11 |
|
W97M/Nsi |
2 |
W32/CIH |
6 |
|
W97M/ Story |
2 |
Form |
2 |
|
W97M/ Titch (*) |
2 |
AntiCMOS |
1 |
|
W97M/Chack |
1 |
Stealth_Boot.B |
1 |
|
W97M/JulyKiller |
1 |
Quox.A |
1 |
|
W97M/Proverb |
1 |
||
|
W97M/Turn (*) |
1 |
Macintosh Virus |
|
|
W97M/Walker |
1 |
MBDF |
1 |
Note)
The abbreviation used in the "Name of Virus"
are as follows:
|
WM |
MSWord95 (WordMacro) |
|
W97M |
MSWord97 (Word97Macro) |
|
XM, XF |
MSExcel95, 97 (ExcelMacro, ExcelFormula) |
|
X97M |
MSExcel97 (Excel97Macro) |
|
W97M/X97M/P97M |
MSWord97, MSExcel97, MSPowerpoint97 (Word97Macro/Excel97Macro/PowerPoint97Macro) |
|
W32 |
works under Windows32 |
|
VBS |
written in VisualBasicScript |
|
Wscript |
works under Windows Scripting Host (WSH) excluding VBS |
The following table shows the name and developer/distributor of antivirus products that are used for detection and disinfection in October.
|
Antivirus Products used for detection and disinfection |
|
|
Product (in the order of reported date) |
Developer/Distributor |
|
Virus Buster (PC-cillin) |
Trend Micro, Inc. |
|
VirusScan |
Network Associates Japan Inc. |
|
Norton AntiVirus |
Symantec Japan, Inc. |
|
InterScan |
Trend Micro, Inc. |
|
Server Protect |
Trend Micro, Inc. |
|
Net (Group) Shield |
Network Associates Japan Inc. |
|
Inoculan (Cheyenne) |
Computer Associates |
|
F-SECURE (F-PROT) |
Yamada Corporation |
|
Antidote |
Vertex Link |
|
Sophos AntiVirus |
C.S.E |
3. Outline of October report
(1) The following are brief descriptions of viruses that are reported to IPA for the first time in October:
W32/Kriz
W32/Kriz propagates under Win32 system. It infects Win32 executable exe files (PE exe files with the extension ".exe" or ".scr"). When an infected file is run, the virus creates the copy of "Kernel32.dll" in the Windows system directory and renames it to "Krized.tt6". Then it modifies "Wininit.ini" so that "Kernel32.dll" is overwritten with "Krized.tt6" on the next reboot. It becomes memory resident and infects to every file that is run or copied. The payload of this virus is activated on December 25th when an infected file is run while the virus stays in a memory. W32/Kriz damages CMOS memory and destroy all hard drives by overwriting them with garbage. It may destroy Flash BIOS depending of the machine types.
VBS/NewLove (VisualBasicScript/NewLove)
VBS/NewLove propagates as an email attachment
file. When the virus is run, it copies itself
to Windows folder (usually C:\Windows) and
Windows system folder (usually C:\Windows\System).
The name of this file is randomly chosen
from the recently opened files directory.
The extension is taken from the following
list:
Doc.Vbs, Xls.Vbs, Mdb.Vbs, Bmp.Vbs, Mp3.Vbs,
Txt.Vbs, Jpg.Vbs, Gif.Vbs, Bov.Vbs, Url.Vbs,
Htm.Vbs
Then the virus modifies registry so that
the virus is run automatically upon next
reboot. When Microsoft Outlook is installed,
the virus sends the following email to each
recipient in Outlook address book.
Subject: FW: [ramdom file name (excluding
the file extension) that virus created in
Windows]
Body: [empty]
Attachment file: [ramdom file name that
virus created in Windows].vbs
Finally, the virus changes the length of
all files on all hard drives (excluding the
currently used files, system attribute or
read-only files) to 0 byte, and change the
extention to .VBS (e.g.: xxxx.jpg=xxxx.jpg.vbs).
W97M/Titch (Word97Macro/Titch)
W97M/Titch propagates under Microsoft Word (MSWord). This virus infects MSWord when an infected document is opened. Every document that is created or modified on infected MSWord thereafter becomes infected when the document is closed. Once infected, the "Macro Virus Protection" option in "Tools/Options/General" will be turned off. There is no payload. This virus works under Japanese version of MSWord97/98/2000 and English version of MSWord97/2000.
W97M/Turn
(Word97Macro/Turn)W97M/Turn propagates under Microsoft Word (MSWord). This virus infects MSWord when an infected document is opened. Every document that is created or modified on infected MSWord thereafter becomes infected when the document is closed. Once infected, the "Macro Virus Protection" option in "Tools/Options/General" will be turned off. It also disables VisualBasicEditor. There is no payload. This virus works under Japanese version of MSWord97/98/2000 and English version of MSWord97/2000.
(2) The following table shows the number of reports sorted by reporting body. Most reports came from "general corporate uses" with about 87% of total reports.
|
Reporting Body |
Number of report |
|||||
|
2000/10 |
2000/1-10 |
'99 total |
||||
|
General corporate user |
790 |
87.2% |
5968 |
93.0% |
2859 |
78.4% |
|
Information Technology Industry |
3 |
0.3% |
85 |
1.4% |
203 |
5.6% |
|
Education/Research Institute |
13 |
1.4% |
69 |
1.1% |
227 |
6.2% |
|
Individual user |
100 |
11.0% |
276 |
4.5% |
356 |
9.8% |
(3) The following table shows the number of reports sorted by region. The largest number of reports was from Kanto region, followed by Chubu and Kinki region.
|
Region |
Number of report |
|||||
|
2000/10 |
2000/1-10 |
'99 total |
||||
|
Hokkaido |
6 |
0.7% |
33 |
0.5% |
34 |
0.9% |
|
Tohoku |
9 |
1.0% |
52 |
0.8% |
89 |
2.4% |
|
Kanto |
707 |
78.0% |
5253 |
85.7% |
2476 |
67.9% |
|
Chubu |
58 |
6.4% |
329 |
5.4% |
293 |
8.0% |
|
Kinki |
95 |
10.5% |
357 |
5.8% |
547 |
15.0% |
|
Chugoku |
12 |
1.3% |
34 |
0.6% |
107 |
2.9% |
|
Shikoku |
9 |
1.0% |
18 |
0.3% |
25 |
0.7% |
|
Kyusyu |
10 |
1.1% |
52 |
0.8% |
74 |
2.0% |
(4) The following table shows the source of virus. Approximately 86% of total reports said email (including oversea emails) was the most common source.
|
Source of Virus |
Number of report |
|||||
|
2000/10 |
2000/1-10 |
'99 total |
||||
|
Via email |
415 |
45.8% |
3240 |
52.9% |
2175 |
59.7% |
|
Via email from overseas |
365 |
40.3% |
2109 |
34.4% |
268 |
7.4% |
|
Download from network |
14 |
1.5% |
62 |
1.0% |
195 |
5.3% |
|
External medium |
34 |
3.8% |
322 |
5.3% |
589 |
16.2% |
|
External medium (overseas) |
0 |
0% |
1 |
0% |
22 |
0.6% |
|
unknown |
78 |
8.6% |
394 |
6.4% |
396 |
10.9% |
(5) The following table shows the number of PCs infected by viruses. 0 machine indicates that the virus was found either on floppy disks or in a document and was detected before infection occurred.
|
Number of PCs |
Number of report |
|||||
|
2000/10 |
2000/1-10 |
'99 total |
||||
|
0 |
638 |
70.4% |
5020 |
81.9% |
1692 |
46.4% |
|
1 |
180 |
19.9% |
752 |
12.3% |
1316 |
36.1% |
|
2-4 |
59 |
6.5% |
248 |
4.0% |
401 |
11.0% |
|
5-9 |
13 |
1.4% |
63 |
1.0% |
122 |
3.3% |
|
10-19 |
8 |
0.9% |
21 |
0.3% |
64 |
1.8% |
|
20-49 |
4 |
0.4% |
12 |
0.2% |
33 |
0.9% |
|
50 or more |
4 |
0.4% |
12 |
0.2% |
17 |
0.5% |
VIRUS PAYLOAD DATES
To prevent the spread of virus, below is a special notice on viruses that have payload dates between November 6 and December 31. For more information, please refer to the virus calendar at
http://www.ipa.go.jp/security/virus/viruscalendar.html (Japanese)You should detect and clean virus with updated antivirus software before its payload is triggered, since the disinfection and recovery afterwards could be very difficult (such as losing data etc.)
W97M/Class (Word97Macro/Class) November 14th, December 14th
Wscript/Kakworm (WindowsScript/Kakworm) December 1st
|
Computer Virus Incident Reporting Program The Ministry of International Trade and Industry announced "Computer Virus Prevention Guidelines" to prevent the spread of computer viruses in Japan. IPA was designated to receive the "Computer Virus Damage Report" directly from the infected users to investigate virus problem and to provide monthly statistics. This reporting system started in April 1990. Anyone who has encountered computer virus is supposed to send a virus report with necessary information to IPA to prevent further spread and damage of viruses. IPA deals with each reporter (user) on an individual basis as a consultant, and also works as a public research institute for antivirus measures by analyzing problems showed on the damage report. Taking reporters' privacy into full consideration, IPA periodically publishes the result of their research and analysis on computer virus incident. Computer Virus Prevention Guidelines: |