February 8, 2001
Information-technology Promotion Agency

　Computer Virus Incident Reports

1. Computer Virus Incident Reports of January, 2001

This is a summary of Computer Virus Incident Reports of January 2001 compiled by IPA: Information-technology Promotion Agency (President:: Shigeo Muraoka).

• Total number of incident reports was the second highest record of 2,440

  [461 in January 2000, 11,109 in the year 2000 (monthly average of 926)]
  [Cumulative number of reports from April 1990 to January 2001 is 25,391

• Circumstances:

  Email virus (viruses that spread via email attachment file) is still prevalent. Among 2,440 reports this month, which is the second highest month compared to 2,778 reports in December 2000, the actual infection reports was 469 which is 19% of total.
  46 kinds of virus were reported in January. There were 2 kinds of new viruses: W32/Prolin and W32/Msinit.

2. Release notes for January

(1) Virus is still prevalent: most popular one is email virus.

Monthly incident number has been over 2000 for three consecutive months, and 95% of total reports are email viruses. You should be very careful when opening the attachment. Top 3 viruses are W32/MTX, W32/Hybris and W32/Navidad. Some viruses don't indicate any signs of infection and you need to find them by using antivirus programs.

Reference: "Information on troublesome W32/MTX"
http://www.ipa.go.jp/security/topics/mtx.html (Japanese)

"Information on new virus W32/Hybris"
http://www.ipa.go.jp/security/topics/hybris.html (Japanese)

"Information on new virus W32/Navidad"
http://www.ipa.go.jp/security/topics/navidad.html (Japanese)

Percentage of virus reports without infection damage was 75% in November, 81% in December 2000 and 81% in January 2001. Installing antivirus programs is necessary to prevent virus infection,.

(2) Update virus pattern file which is "wanted list" for the virus!!

Variants of W32/Hybris (displays a big spiral on the screen on activation day) and also a variants of W32/Navidad (displays flower icon in the system tray) were found. Antivirus program consists of two parts; software which likens to Police system, and virus pattern files which likens to wanted list. Therefore, you need to update your virus pattern file of antivirus program quite often so that it can detect new virus and variants of known virus (we recommend everyday for corporate users, and at least once a week for end users).

(3) Always scan for the virus before you post to mailing lists!!

Media reported some Hybris incidents where members of mailing lists were infected by Hybris, then the virus was automatically sent to all members of those mailing lists. You need to pay enough attention to prevent distribution of infected email. For example, you should always scan the email with antivirus program before sending it, or you should not post a reply from registered users.

3. Warning for this month

"Website owners, be careful about careless double click!"
Due to the function of very popular W32/Hybris (*1), email addresses on the webpage are captured by virus, and virus send itself to those addresses. The following users need to pay special attention when opening the attachment files:
- Website owners
- People who write messages on BBS with their email address
- Editors and subscribers of email magazines

(*1) The function of W32/Hybris
W32/Hybris may get email addresses on the website as well as from emails in the inbox/outbox of the infected users' mailer in order to send itself. Because of this function, the received of these Hybris or MTX viruses easily misunderstand that these viruses were sent on purpose. In most cases the infected users don't know that they are infected, and the virus continues to be sent out from the same infected users.

For questions, please contact:
Office of Computer Virus Countermeasures (OCVC)
Information-technology Promotion Agency
TEL: (03) 5978-7508
FAX: (03) 5978-7518
E-mail: isec-info@ipa.go.jp
Virus Emergency Call: (03) 5978-7509
URL: http://www.ipa.go.jp/security/

Prevalence Table - January 2001

There were 46 kinds of viruses reported during January. Most common viruses were W32/MTX (771 reports) and W32/Hybris (762 reports). 2 kinds of new viruses, W32/Prolin and W32/Msinit (marked with a "*" sign) were reported to IPA for the first time (Macro and Script viruses: 530 reports, Windows and DOS viruses: 1909 reports, Mac virus: 1 report).

Note) The abbreviation used in the "Name of Virus" are as follows:

4. Outline of January report

(1) The following are brief descriptions of viruses that are reported to IPA for the first time in January:

W32/Prolin (Shockwave, Creative)

W32/Prolin propagates via email attachment file. Once executed, the virus gets email addresses from MS Outlook's all address books and sends its copies to them. The email looks like below:
Subject: A great Shockwave flash movie
Body: Check out this new flash movie that I downloaded just now... It's Great Bye
Attachment: creative.exe

W32/Prolin also scans drives for .jpg, .mp3, and .zip files, move them to C: drive and add the sentence "change atleast now to LINUX" at the end of the extension.
For example: "XXX.zip" is changed to "XXXX.zipchange atleast now to LINUX"

W32/Msinit.B (Bymer)

W32/Msinit spreads via client program distributed by open network shares called "Distributed.net". Once executed, the virus creates files "dnetc.exe" and "dnet.ini" in C:\Windows\System folder. And the infected machine is used as a client machine for open network shares called distributed.net. The virus also creates IP address in random number and search for the C drive that is shared by LAN or internet. If found, it copies itself (wininit.exe), "dnetc.exe" and "dnet.ini" there and modifies "win.ini" so that virus is executed upon reboot.

(2) The following table shows the number of reports sorted by reporting body. Most reports came from "general corporate uses" with about 74% of total reports.

(3) The following table shows the number of reports sorted by region. The largest number of reports was from Kanto region, followed by Kinki and Chubu region.

(4) The following table shows the source of virus. Approximately 95% of total reports said email (including oversea emails) was the most common source.

(5) The following table shows the number of PCs infected by viruses. 0 machine indicates that the virus was found either on floppy disks or in a document and was detected before infection occurred.

5. Virus Payload Dates

To prevent the spread of virus, please check the special notice on viruses that have payload dates between February 8 and March 31. For more information, please refer to the virus calendar at http://www.ipa.go.jp/security/virus/viruscalendar.html (Japanese)

You should detect and disinfect virus with the latest antivirus software before its payload is triggered, since the disinfection and recovery afterwards could be very difficult (such as losing data etc.)

W97M/Opay: February 14th

W97M/Opey propagates under Microsoft Word (MSWord). This virus works under Japanese and English version of MSWord97/98. However, the infection to .doc files occurs only in English version of Word when a document is created or modified on the infected system. It activates on specific dates, and writes messages to "Autoexec.bat" file about holidays in the Philippines. The message displays on February 14th is "HAPPY VALENTINES DAY!!!".