January 12, 2001
Information-technology Promotion Agency
Computer Virus Incident Reports
1. Computer Virus Incident Reports of December, 2000
This is a summary of Computer Virus Incident Reports of December 2000 and the year 2000, compiled by IPA: Information-technology Promotion Agency (President: Shigeo Muraoka).
Total number of incident reports was record high of 2,778 (2,203 last month: 11,109 in the year 2000.)
[238 in December 1999, 3,645 in the year
1999 (monthly average of 304)]
[Cumulative number of reports from April
1990 to December 2000 is 22,951]
Circumstances:
Email virus (viruses that spread via email attachment file) is still prevalent. Among them, W32/MTX reached the highest number of reports per virus kind, which is 1,008 (actual infection report is 300). Previous record was 894 reports for the same virus in November 2000. The propagation of these email viruses is causing serious problem especially to vulnerable PC beginners. The actual infection report of individual users in December was 196 (56%) out of 351 reports. This is higher than 19% which is the infection rate of the total reports in December. This means that the infection rate of individual users is considerably higher.
46 kinds of virus were reported in December. There were 2 kinds of new viruses: W32/Hybris and W32/Plage.
2. Release notes for December
(1) This month's report (2,778) was worst:
email virus is prevalent!!
Monthly incident number has been breaking
the worst record for three consecutive months,
and 82% of total reports are email viruses.
Infection via attachment file is increasing
continuously.
- Be careful about attachment files!
You should always scan the attachment file
by using the latest anti-virus program.
Also, it is necessary to delete the attachment
file of the strange-looking emails (*) such
as emails without sender's name or text body
before you accidentally open them.
* W32/MTX and W32/Hybris propagate themselves
by sending out infected attachment file with
no text body in the mail.
Reference:
"Information on troublesome W32/MTX"
http://www.ipa.go.jp/security/topics/mtx.html (Japanese)
"Information on new virus W32/Hybris"
http://www.ipa.go.jp/security/topics/hybris.html (Japanese)
(2) The total number of reports for the year 2000 is over 10,000!!
Email virus was widespread in the year 2000,
and total number of reports (11,109) is more
than three times as much as that of 1999
(3,645 reports). However, the damage caused
by actual infection has been decreasing tremendously.
It can be said that anti-virus programs are
becoming more popular among users, and virus
is detected before being executed. We hope
more and more users use anti-virus program
regularly.
Reference: "the summary of computer virus
incident reports for the year 2000"
http://www.ipa.go.jp/security/english/virus/press/200101/Reference.html
3. Warning for this month
" Once you become virus distributor, it's
too late."
Most PC beginners neglect anti-virus policy
because they think they will never get virus.
However, there is a great possibility for
anyone to receive virus from friends or acquaintances
someday. Users should not consider themselves
as exception. It is important to follow anti-virus
policy and use anti-virus program daily as
bare necessity.
7 basic anti-virus measures for PC users
http://www.ipa.go.jp/security/english/virus/antivirus/E_7kajo.html
For questions, please contact:
Office of Computer Virus Countermeasures
(OCVC)
Information-technology Promotion Agency
TEL: (03) 5978-7508
FAX: (03) 5978-7518
E-mail: isec-info@ipa.go.jp
Virus Emergency Call: (03) 5978-7509
URL: http://www.ipa.go.jp/security/
Prevalence Table - December 2000
There were 46 kinds of viruses reported during December. Most common viruses were W32/MTX (1008 reports) and W32/Navidad (765 reports). 2 kinds of new viruses, W32/Hybris and W32/Plage (marked with a "*" sign) were reported to IPA for the first time (Macro and Script viruses: 638 reports, Windows and DOS viruses: 2141 reports). Some reports contain multiple infection, therefore the sum total doesn't match with 2778 (total number of December report).
|
Macro Virus |
No. of report |
Script Virus |
No. of report |
|
X97M/Divi |
139 |
Wscript/Kakworm |
170 |
|
XM/Laroux |
88 |
VBS/LOVELETTER |
63 |
|
W97M/Marker |
24 |
VBS/Stages |
16 |
|
W97M/X97M/P97M/Tristate |
21 |
VBS/Freelink |
1 |
|
W97M/Myna |
18 |
||
|
W97M/Thus |
15 |
||
|
W97M/Ethan |
11 |
||
|
WM/Cap |
11 |
Windows, DOS virus |
|
|
WM97M/Story |
8 |
W32/MTX |
1008 |
|
W97M/Class |
7 |
W32/Navidad |
765 |
|
W97M/Melissa |
7 |
W32/Hybris (*) |
181 |
|
W97M/Bablas.A |
5 |
W32/QAZ |
52 |
|
X97M/Barisada |
5 |
W32/Ska |
44 |
|
W97M/Titch |
5 |
W32/Funlove |
36 |
|
W97M/Chack |
4 |
W32/Plage (*) |
13 |
|
W97M/Eight |
4 |
W32/PrettyPark |
12 |
|
W97M/Proverb |
4 |
W32/CIH |
11 |
|
W97M/Opey |
3 |
W32/Kriz |
7 |
|
W97M/Nsi |
2 |
Form |
4 |
|
W97M/Pri |
2 |
W32/Fix2001 |
2 |
|
W97M/Vmpck1 |
2 |
Anti-CMOS |
1 |
|
W97M/Assilem |
1 |
AntiEXE.A |
1 |
|
W97M/Astia |
1 |
SAMPO |
1 |
|
W97M/Walker |
1 |
W32/Marburg |
1 |
|
WYX |
1 |
||
|
YankeeDoodle |
1 |
||
|
Macintosh Virus |
|||
|
none |
Note) The abbreviation used in the "Name of Virus" are as follows:
|
WM |
MSWord95 (WordMacro) |
|
W97M |
MSWord97 (Word97Macro) |
|
XM, XF |
MSExcel95, 97 (ExcelMacro, ExcelFormula) |
|
X97M |
MSExcel97 (Excel97Macro) |
|
W97M/X97M/P97M |
MSWord97, MSExcel97, MSPowerpoint97 (Word97Macro/Excel97Macro/PowerPoint97Macro) |
|
W32 |
works under Windows32 |
|
VBS |
written in VisualBasicScript |
|
Wscript |
works under Windows Scripting Host (WSH) excluding VBS |
The following table shows the name and developer/distributor of antivirus products that are used for detection and disinfection in December (in the order of reported date).
|
Antivirus Products used for detection and disinfection |
|
|
Product |
Developer/Distributor |
|
Norton AntiVirus |
Symantec Japan, Inc. |
|
InterScan |
Trend Micro, Inc. |
|
Virus Buster (PC-cillin) |
Trend Micro, Inc. |
|
VirusScan |
Network Associates Japan Inc. |
|
Net(Group) Shield |
Network Associates Japan Inc. |
|
Inoculan (Cheyenne) |
Computer Associates |
|
F-SECURE (F-PROT) |
Yamada Corporation |
|
Sophos AntiVirus |
C.S.E |
|
Server Protect |
Trend Micro, Inc. |
|
Antidote |
Vertex Link |
4. Outline of December report
(1) The following are brief descriptions of viruses that are reported to IPA for the first time in December:
W32/Hybris
W32/Hybris propagates as an email attachment file. Once executed, the virus modifies the file "Wsock32.dll" in C:\windows\System folder. The virus finds email addresses either from the infected user's inbox or from websites the user has visited, and then sends itself to those addresses.
Subject, text body and the name of the attachment file vary depending on the OS and language environment of the infected machine. If the virus is sent from Japanese environment, subject and the text body is empty, and the name of the attachment file will be "xxxxxxxx (8 letter alphabets randomly chosen by virus)" + ".exe".
W32/Plage
W32/Plage propagates as an email attachment file. Once executed, the virus copies itself as "INETD.EXE" in Windows directory, and modifies "win.ini" so that the virus is executed on the next reboot. W32/Plage will send out the following reply to unread messages in the infected user's inbox. Icon of the attachment file is the one for
compressed ZIP file.
Subject: Re: (subject of the original email)
Text body: P2000 Mail auto-reply
' I'll try to reply as soon as possible.
Take a look to the attachment and send me
your opinion!'
> Get your FREE P2000 Mail now! <
Attachment file: Pics.exe, images.exe etc.
If the infected machine is booted between 0:00a.m. and 02:00 GMT on Wednesdays (09:00a.m. and 11:00a.m in Japan), the virus displays message and images.
(2) The following table shows the number of reports sorted by reporting body. Most reports came from "general corporate uses" with about 84% of total reports.
|
Reporting Body |
Number of report |
|||||
|
2000/12 |
2000 |
'99 total |
||||
|
General corporate user |
2325 |
83.7% |
9876 |
88.9% |
2859 |
78.4% |
|
Information Technology Industry |
5 |
0.2% |
99 |
0.9% |
203 |
5.6% |
|
Education/Research Institute |
97 |
3.5% |
214 |
1.9% |
227 |
6.2% |
|
Individual user |
351 |
12.6% |
920 |
8.3% |
356 |
9.8% |
(3) The following table shows the number of reports sorted by region. The largest number of reports was from Kanto region, followed by Kinki and Chubu region.
|
Region |
Number of report |
|||||
|
2000/12 |
2000 |
'99 total |
||||
|
Hokkaido |
31 |
1.1% |
89 |
0.8% |
34 |
0.9% |
|
Tohoku |
41 |
1.5% |
121 |
1.1% |
89 |
2.4% |
|
Kanto |
2374 |
85.5% |
9415 |
84.8% |
2476 |
67.9% |
|
Chubu |
117 |
4.2% |
612 |
5.5% |
293 |
8.0% |
|
Kinki |
139 |
5.0% |
928 |
5.7% |
547 |
15.0% |
|
Chugoku |
25 |
0.9% |
80 |
0.7% |
107 |
2.9% |
|
Shikoku |
11 |
0.4% |
35 |
0.3% |
25 |
0.7% |
|
Kyusyu |
40 |
1.4% |
129 |
1.2% |
74 |
2.0% |
(4) The following table shows the source of virus. Approximately 94% of total reports said email (including oversea emails) was the most common source.
|
Source of Virus |
Number of report |
|||||
|
2000/12 |
2000 |
'99 total |
||||
|
Via email |
1663 |
59.9% |
6171 |
55.5% |
2175 |
59.7% |
|
Via email from overseas |
931 |
33.5% |
3843 |
34.6% |
268 |
7.4% |
|
Download from network |
9 |
0.3% |
82 |
0.7% |
195 |
5.3% |
|
External medium |
82 |
3.0% |
424 |
3.8% |
589 |
16.2% |
|
External medium (overseas) |
1 |
0% |
4 |
0% |
22 |
0.6% |
|
unknown |
92 |
3.3% |
585 |
5.3% |
396 |
10.9% |
(5) The following table shows the number of PCs infected by viruses. 0 machine indicates that the virus was found either on floppy disks or in a document and was detected before infection occurred.
|
Number of PCs |
Number of report |
|||||
|
2000/12 |
2000 |
'99 total |
||||
|
0 |
2250 |
81.0% |
8927 |
80.4% |
1692 |
46.4% |
|
1 |
407 |
14.7% |
1610 |
14.5% |
1316 |
36.1% |
|
2-4 |
78 |
2.8% |
393 |
3.5% |
401 |
11.0% |
|
5-9 |
27 |
1.0% |
109 |
1.0% |
122 |
3.3% |
|
10-19 |
6 |
0.2% |
32 |
0.3% |
64 |
1.8% |
|
20-49 |
7 |
0.3% |
20 |
0.2% |
33 |
0.9% |
|
50 or more |
3 |
0.1% |
18 |
0.2% |
17 |
0.5% |
5. Virus Payload Dates
To prevent the spread of virus, please check the special notice on viruses that have payload dates between January 12 and February 28. For more information, please refer to the virus calendar at
http://www.ipa.go.jp/SECURITY/virus/viruscalendar.html (Japanese)You should detect and disinfect virus with the latest antivirus software before its payload is triggered, since the disinfection and recovery afterwards could be very difficult (such as losing data etc.)
Wscript/KakWorm: February 1st
W97M/Marker
W97M/Marker propagates under Microsoft Word (MSWord). When an infected document is opened, a file called "xix.drv" is created in :C, the virus code is copied and MSWord gets infected. Every document that is created or modified on infected MSWord thereafter becomes infected when the document is closed. Once infected, the "Macro virus Protection" option in "Tools/Options/General" is turned off.
When documents are closed on infected MSWord
on 1st day of every month, it creates a list
of the infected users with infected dates
and tries to upload the list to a specific
web site.
This virus works under Japanese version of
MSWord97/98 and English version of MSWord97.
WScript/KakWorm
KakWorm is embedded in the signature file of the MS Outlook Express email messages in HTML format. This worm activates when an infected email message is opened or viewed in the preview pane with MS Outlook Express where the Internet Explorer 5 or WSH(*1) is installed.
If "Kak.hta" file is run after 6 p.m. on
the 1st day of the month, the following message
is displayed:
"Kagou-Anti-Kro$oft says not today!"
If you press OK the Windows will be shut
down.
This worm exploits security holes of Internet
Express 5. You can prevent infection by installing
security patch from Microsoft and by setting
proper security level. This virus works under
English and French version of Windows95/98.
|
Computer Virus Incident Reporting Program The Ministry of Economy Trade and Industry announced "Computer Virus Prevention Guidelines" to prevent the spread of computer viruses in Japan. IPA was designated to receive the "Computer Virus Damage Report" directly from the infected users to investigate virus problem and to provide monthly statistics. This reporting system started in April 1990. Anyone who has encountered computer virus is supposed to send a virus report with necessary information to IPA to prevent further spread and damage of viruses. IPA deals with each reporter (user) on an individual basis as a consultant, and also works as a public research institute for antivirus measures by analyzing problems showed on the damage report. Taking reporters' privacy into full consideration, IPA periodically publishes the result of their research and analysis on computer virus incident. Computer Virus Prevention Guidelines: |