January 12, 2001
Information-technology Promotion Agency

 

Computer Virus Incident Reports


1. Computer Virus Incident Reports of December, 2000

This is a summary of Computer Virus Incident Reports of December 2000 and the year 2000, compiled by IPA: Information-technology Promotion Agency (President: Shigeo Muraoka).

2. Release notes for December

(1) This month's report (2,778) was worst: email virus is prevalent!!
Monthly incident number has been breaking the worst record for three consecutive months, and 82% of total reports are email viruses. Infection via attachment file is increasing continuously.

- Be careful about attachment files!
You should always scan the attachment file by using the latest anti-virus program. Also, it is necessary to delete the attachment file of the strange-looking emails (*) such as emails without sender's name or text body before you accidentally open them.

* W32/MTX and W32/Hybris propagate themselves by sending out infected attachment file with no text body in the mail.
Reference:
"Information on troublesome W32/MTX" http://www.ipa.go.jp/security/topics/mtx.html (Japanese)
"Information on new virus W32/Hybris" http://www.ipa.go.jp/security/topics/hybris.html (Japanese)

(2) The total number of reports for the year 2000 is over 10,000!!
Email virus was widespread in the year 2000, and total number of reports (11,109) is more than three times as much as that of 1999 (3,645 reports). However, the damage caused by actual infection has been decreasing tremendously. It can be said that anti-virus programs are becoming more popular among users, and virus is detected before being executed. We hope more and more users use anti-virus program regularly.

Reference: "the summary of computer virus incident reports for the year 2000"
http://www.ipa.go.jp/security/english/virus/press/200101/Reference.html

3. Warning for this month

" Once you become virus distributor, it's too late."
Most PC beginners neglect anti-virus policy because they think they will never get virus. However, there is a great possibility for anyone to receive virus from friends or acquaintances someday. Users should not consider themselves as exception. It is important to follow anti-virus policy and use anti-virus program daily as bare necessity.

7 basic anti-virus measures for PC users
http://www.ipa.go.jp/security/english/virus/antivirus/E_7kajo.html

For questions, please contact:
Office of Computer Virus Countermeasures (OCVC)
Information-technology Promotion Agency
TEL: (03) 5978-7508
FAX: (03) 5978-7518
E-mail:
isec-info@ipa.go.jp
Virus Emergency Call: (03) 5978-7509
URL: http://www.ipa.go.jp/security/

Prevalence Table - December 2000

There were 46 kinds of viruses reported during December. Most common viruses were W32/MTX (1008 reports) and W32/Navidad (765 reports). 2 kinds of new viruses, W32/Hybris and W32/Plage (marked with a "*" sign) were reported to IPA for the first time (Macro and Script viruses: 638 reports, Windows and DOS viruses: 2141 reports). Some reports contain multiple infection, therefore the sum total doesn't match with 2778 (total number of December report).

Macro Virus

No. of report

Script Virus

No. of report

X97M/Divi

139

Wscript/Kakworm

170

XM/Laroux

88

VBS/LOVELETTER

63

W97M/Marker

24

VBS/Stages

16

W97M/X97M/P97M/Tristate

21

VBS/Freelink

1

W97M/Myna

18

   

W97M/Thus

15

   

W97M/Ethan

11

   

WM/Cap

11

Windows, DOS virus

 

WM97M/Story

8

W32/MTX

1008

W97M/Class

7

W32/Navidad

765

W97M/Melissa

7

W32/Hybris (*)

181

W97M/Bablas.A

5

W32/QAZ

52

X97M/Barisada

5

W32/Ska

44

W97M/Titch

5

W32/Funlove

36

W97M/Chack

4

W32/Plage (*)

13

W97M/Eight

4

W32/PrettyPark

12

W97M/Proverb

4

W32/CIH

11

W97M/Opey

3

W32/Kriz

7

W97M/Nsi

2

Form

4

W97M/Pri

2

W32/Fix2001

2

W97M/Vmpck1

2

Anti-CMOS

1

W97M/Assilem

1

AntiEXE.A

1

W97M/Astia

1

SAMPO

1

W97M/Walker

1

W32/Marburg

1

   

WYX

1

   

YankeeDoodle

1

       
   

Macintosh Virus

 
   

none

 

Note) The abbreviation used in the "Name of Virus" are as follows:

WM

MSWord95 (WordMacro)

W97M

MSWord97 (Word97Macro)

XM, XF

MSExcel95, 97 (ExcelMacro, ExcelFormula)

X97M

MSExcel97 (Excel97Macro)

W97M/X97M/P97M

MSWord97, MSExcel97, MSPowerpoint97

(Word97Macro/Excel97Macro/PowerPoint97Macro)

W32

works under Windows32

VBS

written in VisualBasicScript

Wscript

works under Windows Scripting Host (WSH) excluding VBS

 

The following table shows the name and developer/distributor of antivirus products that are used for detection and disinfection in December (in the order of reported date).

Antivirus Products used for detection and disinfection

Product

Developer/Distributor

Norton AntiVirus

Symantec Japan, Inc.

InterScan

Trend Micro, Inc.

Virus Buster (PC-cillin)

Trend Micro, Inc.

VirusScan

Network Associates Japan Inc.

Net(Group) Shield

Network Associates Japan Inc.

Inoculan (Cheyenne)

Computer Associates

F-SECURE (F-PROT)

Yamada Corporation

Sophos AntiVirus

C.S.E

Server Protect

Trend Micro, Inc.

Antidote

Vertex Link

 

4. Outline of December report

(1) The following are brief descriptions of viruses that are reported to IPA for the first time in December:

W32/Hybris

W32/Hybris propagates as an email attachment file. Once executed, the virus modifies the file "Wsock32.dll" in C:\windows\System folder. The virus finds email addresses either from the infected user's inbox or from websites the user has visited, and then sends itself to those addresses.

Subject, text body and the name of the attachment file vary depending on the OS and language environment of the infected machine. If the virus is sent from Japanese environment, subject and the text body is empty, and the name of the attachment file will be "xxxxxxxx (8 letter alphabets randomly chosen by virus)" + ".exe".

W32/Plage

W32/Plage propagates as an email attachment file. Once executed, the virus copies itself as "INETD.EXE" in Windows directory, and modifies "win.ini" so that the virus is executed on the next reboot. W32/Plage will send out the following reply to unread messages in the infected user's inbox. Icon of the attachment file is the one for compressed ZIP file.

Subject: Re: (subject of the original email)
Text body: P2000 Mail auto-reply
' I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion!'

> Get your FREE P2000 Mail now! <

Attachment file: Pics.exe, images.exe etc.

If the infected machine is booted between 0:00a.m. and 02:00 GMT on Wednesdays (09:00a.m. and 11:00a.m in Japan), the virus displays message and images.

(2) The following table shows the number of reports sorted by reporting body. Most reports came from "general corporate uses" with about 84% of total reports.

Reporting Body

Number of report

2000/12

 

2000

 

'99 total

 

General corporate user

2325

83.7%

9876

88.9%

2859

78.4%

Information Technology Industry

5

0.2%

99

0.9%

203

5.6%

Education/Research Institute

97

3.5%

214

1.9%

227

6.2%

Individual user

351

12.6%

920

8.3%

356

9.8%

 

(3) The following table shows the number of reports sorted by region. The largest number of reports was from Kanto region, followed by Kinki and Chubu region.

Region

Number of report

2000/12

 

2000

 

'99 total

 

Hokkaido

31

1.1%

89

0.8%

34

0.9%

Tohoku

41

1.5%

121

1.1%

89

2.4%

Kanto

2374

85.5%

9415

84.8%

2476

67.9%

Chubu

117

4.2%

612

5.5%

293

8.0%

Kinki

139

5.0%

928

5.7%

547

15.0%

Chugoku

25

0.9%

80

0.7%

107

2.9%

Shikoku

11

0.4%

35

0.3%

25

0.7%

Kyusyu

40

1.4%

129

1.2%

74

2.0%

 

(4) The following table shows the source of virus. Approximately 94% of total reports said email (including oversea emails) was the most common source.

Source of Virus

Number of report

2000/12

 

2000

 

'99 total

 

Via email

1663

59.9%

6171

55.5%

2175

59.7%

Via email from overseas

931

33.5%

3843

34.6%

268

7.4%

Download from network

9

0.3%

82

0.7%

195

5.3%

External medium

82

3.0%

424

3.8%

589

16.2%

External medium (overseas)

1

0%

4

0%

22

0.6%

unknown

92

3.3%

585

5.3%

396

10.9%

 

(5) The following table shows the number of PCs infected by viruses. 0 machine indicates that the virus was found either on floppy disks or in a document and was detected before infection occurred.

Number of PCs

Number of report

2000/12

 

2000

 

'99 total

 

0

2250

81.0%

8927

80.4%

1692

46.4%

1

407

14.7%

1610

14.5%

1316

36.1%

2-4

78

2.8%

393

3.5%

401

11.0%

5-9

27

1.0%

109

1.0%

122

3.3%

10-19

6

0.2%

32

0.3%

64

1.8%

20-49

7

0.3%

20

0.2%

33

0.9%

50 or more

3

0.1%

18

0.2%

17

0.5%

 

5. Virus Payload Dates

To prevent the spread of virus, please check the special notice on viruses that have payload dates between January 12 and February 28. For more information, please refer to the virus calendar at

http://www.ipa.go.jp/SECURITY/virus/viruscalendar.html (Japanese)

You should detect and disinfect virus with the latest antivirus software before its payload is triggered, since the disinfection and recovery afterwards could be very difficult (such as losing data etc.)

W97M/Marker

W97M/Marker propagates under Microsoft Word (MSWord). When an infected document is opened, a file called "xix.drv" is created in :C, the virus code is copied and MSWord gets infected. Every document that is created or modified on infected MSWord thereafter becomes infected when the document is closed. Once infected, the "Macro virus Protection" option in "Tools/Options/General" is turned off.
When documents are closed on infected MSWord on 1st day of every month, it creates a list of the infected users with infected dates and tries to upload the list to a specific web site.
This virus works under Japanese version of MSWord97/98 and English version of MSWord97.

WScript/KakWorm

KakWorm is embedded in the signature file of the MS Outlook Express email messages in HTML format. This worm activates when an infected email message is opened or viewed in the preview pane with MS Outlook Express where the Internet Explorer 5 or WSH(*1) is installed.
If "Kak.hta" file is run after 6 p.m. on the 1st day of the month, the following message is displayed:
"Kagou-Anti-Kro$oft says not today!"
If you press OK the Windows will be shut down.
This worm exploits security holes of Internet Express 5. You can prevent infection by installing security patch from Microsoft and by setting proper security level. This virus works under English and French version of Windows95/98.

Computer Virus Incident Reporting Program

The Ministry of Economy Trade and Industry announced "Computer Virus Prevention Guidelines" to prevent the spread of computer viruses in Japan. IPA was designated to receive the "Computer Virus Damage Report" directly from the infected users to investigate virus problem and to provide monthly statistics. This reporting system started in April 1990. Anyone who has encountered computer virus is supposed to send a virus report with necessary information to IPA to prevent further spread and damage of viruses.

IPA deals with each reporter (user) on an individual basis as a consultant, and also works as a public research institute for antivirus measures by analyzing problems showed on the damage report. Taking reporters' privacy into full consideration, IPA periodically publishes the result of their research and analysis on computer virus incident.

Computer Virus Prevention Guidelines:
- Enactment on April 10, 1990 (release No.139)
- Amendment on July 7, 1995 (release No. 429)
- Amendment on September 24, 1997 (release No. 535)
- Amendment on December 28, 2000 (release No. 952)