December 7, 2000
Information-technology Promotion Agency
Computer Virus Incident Reports
1. Computer Virus Incident Reports of November, 2000
This is a summary of Computer Virus Incident Reports of November 2000, compiled by IPA: Information-technology Promotion Agency (President:: Shigeo Muraoka).
Total number of incident reports was record high of 2203 (906 last month: 8,331 from January to November 2000.)
[219 in November 1999, 3,645 in the year
1999 (monthly average of 304), 3,407 from
January to November 1999.]
[Cumulative number of reports from April
1990 to November 2000 is 20,713]
Circumstances:
W32/MTX is widely spreading and the damage is very serious.2. Release notes for November
(1) This month's report (2203) increased twice as many as the previous record of 906 in October 2000!!
2203 became the worst record in the past, followed by 906 in October 2000. And the
number of actual infection was also highest
with 546 reports whereas the past record
was 339 in March 1999. Users must follow
the anti-virus guidelines and not to open
the attachment file without caution.
(2) The drastic increase of "W32/MTX"
is causing serious problem!!
The upsurge in number of W32/MTX reports
is causing many troubles. 894 reports is
the highest ever (previous record was VBS/LOVELETTER
of 346 reports in May 2000) including 356
reports of the actual infection (almost 40%
of the total). This virus is spreading internationally.
W32/MTX propagates by sending out a copy of itself to whoever the infected user sends an email to as the second mail (there is neither subject line nor text body). When the recipient sees this second mail from the same sender, they automatically open the infected attachment without a doubt because they are usually from their friends or someone they know. Once infected, you should format the hard disk and reinstall Windows to make sure the complete recovery and disinfection of this virus. Restoring the data requires considerable time and labor, therefore the damage caused by W32/MTX is very serious.
Information on troublesome "W32/MTX"
http://www.ipa.go.jp/security/topics/mtx.html (Japanese)
(3) Be careful about "W32/Navidad"
New virus "W32/Navidad" is rapidly spreading
and there were 437 reports in November.
This virus spreads as an email attachment,
and the infected users can't use some application
programs. "Navidad" means "Christmas" in
Spanish. The users should be careful about
those viruses that pretend to be wishing
Merry Christmas and season's greetings.
Information on new virus "W32/Navidad"
http://www.ipa.go.jp/security/topics/navidad.html (Japanese)
3. Warning for this month
"Wait a minute!!" before you open the attachment file...
Email is the most common source of virus
infection with approximately 94% of total
reports. It is too late once you open the
infected file. The users will easily get
virus infection if they have the habit of
opening the attachment file without checking
them. To prevent infection it is important
to ask yourself whether that file is really
safe to open or not.
The list of 5 instructions when opening attachment files
http://www.ipa.go.jp/security/english/virus/press/200007/E_attach52.html
For questions, please contact:
Office of Computer Virus Countermeasures
(OCVC)
Information-technology Promotion Agency
TEL: (03) 5978-7508
FAX: (03) 5978-7518
E-mail: isec-info@ipa.go.jp
Virus Emergency Call: (03) 5978-7509
URL: http://www.ipa.go.jp/security/
Prevalence Table - Novembr 2000
There were 47 kinds of viruses reported during November. Frequently reported viruses were W32/MTX (894 reports) and W32/Navidad (437 reports). 2 kinds of new viruses, W32/Navidad and WYX (marked with a "*" sign) were reported to IPA for the first time (Macro and Script viruses: 699 reports, Windows and DOS viruses: 1503 reports, Mac virus: 1 report).
|
Macro Virus |
No. of report |
Script Virus |
No. of report |
|
X97M/Divi |
120 |
VBS/LOVELETTER |
314 |
|
XM/Laroux |
90 |
Wscript/Kakworm |
43 |
|
W97M/Marker |
22 |
VBS/Netlog |
3 |
|
W97M/Ethan |
15 |
VBS/Stages |
2 |
|
W97M/X97M/P97M/Tristate |
12 |
VBS/Freelink |
1 |
|
W97M/Class |
10 |
VBS/NewLove |
1 |
|
W97M/Thus |
10 |
||
|
W97M/Melissa |
8 |
Windows, DOS virus |
|
|
W97M/Opey |
8 |
W32/MTX |
894 |
|
WM/Cap |
1 |
W32/Navidad (*) |
437 |
|
X97M/Barisada.da |
6 |
W32/QAZ |
69 |
|
XM/VCX.A |
4 |
W32/Ska |
40 |
|
W97M/JulyKiller |
3 |
W32/PrettyPark |
19 |
|
W97M/Myna |
3 |
W32/CIH |
13 |
|
W97M/Smac |
3 |
W32/Funlove |
13 |
|
W97M/Bablas.A |
2 |
W32/Kriz |
7 |
|
W97M/Prilissa |
2 |
AntiCMOS |
3 |
|
W97M/Walker |
2 |
Form |
3 |
|
XF/Sic |
2 |
Cascade |
1 |
|
XM/Extras |
2 |
Stealth_Boot.B |
1 |
|
W97M/Locale |
1 |
WYX (*) |
1 |
|
W97M/Nsi |
1 |
W32/Fix2001 |
1 |
|
W97M/Story |
1 |
W32/Marburg |
1 |
|
W97M/Titch |
1 |
||
|
WM/Niceday |
1 |
Macintosh Virus |
|
|
MBDF |
1 |
Note) The abbreviation used in the "Name of Virus" are as follows:
|
WM |
MSWord95 (WordMacro) |
|
W97M |
MSWord97 (Word97Macro) |
|
XM, XF |
MSExcel95, 97 (ExcelMacro, ExcelFormula) |
|
X97M |
MSExcel97 (Excel97Macro) |
|
W97M/X97M/P97M |
MSWord97, MSExcel97, MSPowerpoint97 (Word97Macro/Excel97Macro/PowerPoint97Macro) |
|
W32 |
works under Windows32 |
|
VBS |
written in VisualBasicScript |
|
Wscript |
works under Windows Scripting Host (WSH) excluding VBS |
The following table shows the name and developer/distributor of antivirus products that are used for detection and disinfection in November (in the order of reported date).
|
Antivirus Products used for detection and disinfection |
|
|
Product |
Developer/Distributor |
|
InterScan |
Trend Micro, Inc. |
|
Virus Buster (PC-cillin) |
Trend Micro, Inc. |
|
VirusScan |
Network Associates Japan Inc. |
|
Norton AntiVirus |
Symantec Japan, Inc. |
|
F-SECURE (F-PROT) |
Yamada Corporation |
|
Server Protect |
Trend Micro, Inc. |
|
Sophos AntiVirus |
C.S.E |
|
Net (Group) Shield |
Network Associates Japan Inc. |
|
Inoculan (Cheyenne) |
Computer Associates |
4. Outline of November report
(1) The following are brief descriptions of viruses that are reported to IPA for the first time in November:
W32/Navidad
W32/Navidad propagates as an email attachment file. The virus finds emails with a single attachment in infected user's inbox. When such email is found, the virus replaces the existing attachment with an infected file and sends itself to the sender of the original email. The recipient notices the contents of the email and since it's from someone known (s)he opens the attachment without scanning. Once infected the user is not able to use the application programs.
WYX
Wyx is a memory resident, boot sector infecting virus. When the machine is booted from an infected floppy disk the virus becomes memory resident. Once the system is infected the virus tries to infect each floppy disk that is accessed. This virus works under IBM and compatible machines. There is no payload.
(2) The following table shows the number of reports sorted by reporting body. Most reports came from "general corporate uses" with about 84% of total reports.
|
Reporting Body |
Number of report |
|||||
|
2000/11 |
2000/1-11 |
'99 total |
||||
|
General corporate user |
1853 |
84.1% |
7551 |
90.6% |
2859 |
78.4% |
|
Information Technology Industry |
9 |
0.4% |
94 |
1.1% |
203 |
5.6% |
|
Education/Research Institute |
48 |
2.2% |
117 |
1.4% |
227 |
6.2% |
|
Individual user |
293 |
13.3% |
569 |
6.8% |
356 |
9.8% |
(3) The following table shows the number of reports sorted by region. The largest number of reports was from Kanto region, followed by Chubu and Kinki region.
|
Region |
Number of report |
|||||
|
2000/11 |
2000/1-11 |
'99 total |
||||
|
Hokkaido |
25 |
1.1% |
58 |
0.7% |
34 |
0.9% |
|
Tohoku |
28 |
1.3% |
80 |
1.0% |
89 |
2.4% |
|
Kanto |
1788 |
81.2% |
7041 |
84.5% |
2476 |
67.9% |
|
Chubu |
166 |
7.5% |
495 |
5.9% |
293 |
8.0% |
|
Kinki |
132 |
6.0% |
489 |
5.9% |
547 |
15.0% |
|
Chugoku |
21 |
1.0% |
55 |
0.7% |
107 |
2.9% |
|
Shikoku |
6 |
0.3% |
24 |
0.3% |
25 |
0.7% |
|
Kyusyu |
37 |
1.7% |
89 |
1.1% |
74 |
2.0% |
(4) The following table shows the source of virus. Approximately 94% of total reports said email (including oversea emails) was the most common source.
|
Source of Virus |
Number of report |
|||||
|
2000/11 |
2000/1-11 |
'99 total |
||||
|
Via email |
1268 |
57.6% |
4508 |
54.1% |
2175 |
59.7% |
|
Via email from overseas |
803 |
36.5% |
2912 |
35.0% |
268 |
7.4% |
|
Download from network |
11 |
0.5% |
73 |
0.9% |
195 |
5.3% |
|
External medium |
20 |
0.9% |
342 |
4.1% |
589 |
16.2% |
|
External medium (overseas) |
2 |
0.1% |
3 |
0% |
22 |
0.6% |
|
unknown |
99 |
4.5% |
493 |
5.9% |
396 |
10.9% |
(5) The following table shows the number of PCs infected by viruses. 0 machine indicates that the virus was found either on floppy disks or in a document and was detected before infection occurred.
|
Number of PCs |
Number of report |
|||||
|
2000/11 |
2000/1-11 |
'99 total |
||||
|
0 |
1657 |
75.2% |
6677 |
80.1% |
1692 |
46.4% |
|
1 |
451 |
20.5% |
1203 |
14.4% |
1316 |
36.1% |
|
2-4 |
67 |
3.0% |
315 |
3.8% |
401 |
11.0% |
|
5-9 |
19 |
0.9% |
82 |
1.0% |
122 |
3.3% |
|
10-19 |
5 |
0.2% |
26 |
0.3% |
64 |
1.8% |
|
20-49 |
1 |
0% |
13 |
0.2% |
33 |
0.9% |
|
50 or more |
3 |
0.1% |
15 |
0.2% |
17 |
0.5% |
5. Virus Payload Dates
To prevent the spread of virus, please check the special notice on viruses that have payload dates between December 7 and January 31. For more information, please refer to the virus calendar at
http://www.ipa.go.jp/SECURITY/virus/viruscalendar.html (Japanese)You should detect and disinfect virus with the latest antivirus software before its payload is triggered, since the disinfection and recovery afterwards could be very difficult (such as losing data etc.)
W32/Kriz: December 25th
W97M/Prilissa
W97M/Prilissa propagates under Microsoft Word (MSWord). This virus infects MSWord when an infected document is opened. Every document that is created or modified on infected MSWord thereafter becomes infected when the document is closed. If either the infected document is opened or document is closed on infected MSWord On December 25, the virus is activated and does the following:
1. modifies "Autoexec.bat" so that the message is displayed to format C drive on the next boot.
2. displays a dialogue box.
3. If the user click "OK", the virus writes various kinds of shapes in different color on the document.
This virus works under Japanese version of MSWord97/98/2000 and English version of MSWord97/2000.
W32/Kriz
W32/Kriz propagates under Win32 system. It infects Win32 executable exe files (PE exe files with the extension ".exe" or ".scr"). When an infected file is run, the virus creates the copy of "Kernel32.dll" in the Windows system directory and renames it to "Krized.tt6". Then it modifies "Wininit.ini" so that "Kernel32.dll" is overwritten with "Krized.tt6" on the next reboot. It becomes memory resident and infects to every file that is run or copied. The payload of this virus is activated on December 25th when an infected file is run while the virus stays in a memory. W32/Kriz damages CMOS memory and destroy all hard drives by overwriting them with garbage. It may destroy Flash BIOS depending of the machine types.
|
Computer Virus Incident Reporting Program The Ministry of International Trade and Industry announced "Computer Virus Prevention Guidelines" to prevent the spread of computer viruses in Japan. IPA was designated to receive the "Computer Virus Damage Report" directly from the infected users to investigate virus problem and to provide monthly statistics. This reporting system started in April 1990. Anyone who has encountered computer virus is supposed to send a virus report with necessary information to IPA to prevent further spread and damage of viruses. IPA deals with each reporter (user) on an individual basis as a consultant, and also works as a public research institute for antivirus measures by analyzing problems showed on the damage report. Taking reporters' privacy into full consideration, IPA periodically publishes the result of their research and analysis on computer virus incident. Computer Virus Prevention Guidelines: |