February 8, 2001
Information-technology Promotion Agency

 Computer Virus Incident Reports

1. Computer Virus Incident Reports of January, 2001

This is a summary of Computer Virus Incident Reports of January 2001 compiled by IPA: Information-technology Promotion Agency (President:: Shigeo Muraoka).

2. Release notes for January

(1) Virus is still prevalent: most popular one is email virus.

Monthly incident number has been over 2000 for three consecutive months, and 95% of total reports are email viruses. You should be very careful when opening the attachment. Top 3 viruses are W32/MTX, W32/Hybris and W32/Navidad. Some viruses don't indicate any signs of infection and you need to find them by using antivirus programs.

Reference: "Information on troublesome W32/MTX"
http://www.ipa.go.jp/security/topics/mtx.html (Japanese)

"Information on new virus W32/Hybris"
http://www.ipa.go.jp/security/topics/hybris.html (Japanese)

"Information on new virus W32/Navidad"
http://www.ipa.go.jp/security/topics/navidad.html (Japanese)

Percentage of virus reports without infection damage was 75% in November, 81% in December 2000 and 81% in January 2001. Installing antivirus programs is necessary to prevent virus infection,.

  

(2) Update virus pattern file which is "wanted list" for the virus!!

Variants of W32/Hybris (displays a big spiral on the screen on activation day) and also a variants of W32/Navidad (displays flower icon in the system tray) were found. Antivirus program consists of two parts; software which likens to Police system, and virus pattern files which likens to wanted list. Therefore, you need to update your virus pattern file of antivirus program quite often so that it can detect new virus and variants of known virus (we recommend everyday for corporate users, and at least once a week for end users).

Variant of W32/Hybris

Variant of W32/Navidad

 

(3) Always scan for the virus before you post to mailing lists!!

Media reported some Hybris incidents where members of mailing lists were infected by Hybris, then the virus was automatically sent to all members of those mailing lists. You need to pay enough attention to prevent distribution of infected email. For example, you should always scan the email with antivirus program before sending it, or you should not post a reply from registered users.


3. Warning for this month

"Website owners, be careful about careless double click!"
Due to the function of very popular W32/Hybris (*1), email addresses on the webpage are captured by virus, and virus send itself to those addresses. The following users need to pay special attention when opening the attachment files:
- Website owners
- People who write messages on BBS with their email address
- Editors and subscribers of email magazines

(*1) The function of W32/Hybris
W32/Hybris may get email addresses on the website as well as from emails in the inbox/outbox of the infected users' mailer in order to send itself. Because of this function, the received of these Hybris or MTX viruses easily misunderstand that these viruses were sent on purpose. In most cases the infected users don't know that they are infected, and the virus continues to be sent out from the same infected users.

For questions, please contact:
Office of Computer Virus Countermeasures (OCVC)
Information-technology Promotion Agency
TEL: (03) 5978-7508
FAX: (03) 5978-7518
E-mail:
isec-info@ipa.go.jp
Virus Emergency Call: (03) 5978-7509
URL: http://www.ipa.go.jp/security/

Prevalence Table - January 2001

There were 46 kinds of viruses reported during January. Most common viruses were W32/MTX (771 reports) and W32/Hybris (762 reports). 2 kinds of new viruses, W32/Prolin and W32/Msinit (marked with a "*" sign) were reported to IPA for the first time (Macro and Script viruses: 530 reports, Windows and DOS viruses: 1909 reports, Mac virus: 1 report).

Macro Virus

No. of report

Script Virus

No. of report

X97M/Divi

112

VBS/LOVELETTER

74

W97M/Myna

73

Wscript/Kakworm

41

XM/Laroux

70

VBS/Stages

7

W97M/X97M/P97M/Tristate

36

VBS/Netlog

4

W97M/Marker

28

   

W97M/Ethan

11

   

W97M/Thus

10

   

WM/Cap

10

Windows, DOS virus

 

W97M/Class

6

W32/MTX

771

W97M/Melissa

6

W32/Hybris

762

XM/VCX.A

6

W32/Navidad

217

W97M/Claud

5

W32/Prolin (*)

47

W97M/Nsi

5

W32/QAZ

22

W97M/Opey

4

W32/Ska

22

W97M/Titch

4

W32/Funlove

19

X97M/Barisada

4

W32/PrettyPark

12

W97M/Chack

3

W32/CIH

11

W97M/Pri

3

W32/Msinit (*)

10

XF/Sic

3

Form

5

W97M/Astia

2

W32/Kriz

4

W97M/Proverb

1

Stoned

2

W97M/Story

1

Stoned.Angelina.A

1

WM/Wazzu

1

Cascade

1

   

AntiEXE.A

1

   

Peter

1

   

W32/Fix2001

1

       
   

Macintosh Virus

 
   

AutoStart9805

1

Note) The abbreviation used in the "Name of Virus" are as follows:

WM

MSWord95 (WordMacro)

W97M

MSWord97 (Word97Macro)

XM, XF

MSExcel95, 97 (ExcelMacro, ExcelFormula)

X97M

MSExcel97 (Excel97Macro)

W97M/X97M/P97M

MSWord97, MSExcel97, MSPowerpoint97
(Word97Macro/Excel97Macro/PowerPoint97Macro)

W32

works under Windows32

VBS

written in VisualBasicScript

Wscript

works under Windows Scripting Host (WSH) excluding VBS

4. Outline of January report

(1) The following are brief descriptions of viruses that are reported to IPA for the first time in January:

W32/Prolin (Shockwave, Creative)

W32/Prolin propagates via email attachment file. Once executed, the virus gets email addresses from MS Outlook's all address books and sends its copies to them. The email looks like below:
Subject: A great Shockwave flash movie
Body: Check out this new flash movie that I downloaded just now... It's Great Bye
Attachment: creative.exe

W32/Prolin also scans drives for .jpg, .mp3, and .zip files, move them to C: drive and add the sentence "change atleast now to LINUX" at the end of the extension.
For example: "XXX.zip" is changed to "XXXX.zipchange atleast now to LINUX"

W32/Msinit.B (Bymer)

W32/Msinit spreads via client program distributed by open network shares called "Distributed.net". Once executed, the virus creates files "dnetc.exe" and "dnet.ini" in C:\Windows\System folder. And the infected machine is used as a client machine for open network shares called distributed.net. The virus also creates IP address in random number and search for the C drive that is shared by LAN or internet. If found, it copies itself (wininit.exe), "dnetc.exe" and "dnet.ini" there and modifies "win.ini" so that virus is executed upon reboot.

(2) The following table shows the number of reports sorted by reporting body. Most reports came from "general corporate uses" with about 74% of total reports.

Reporting Body

Number of report

2001/1

 

2001 total

 

2000 total

 

General corporate user

1801

73.8%

1801

73.8%

9975

89.8%

Education/Research Institute

95

3.9%

95

3.9%

214

1.9%

Individual user

544

22.3%

544

22.3%

920

8.3%

(3) The following table shows the number of reports sorted by region. The largest number of reports was from Kanto region, followed by Kinki and Chubu region.

Region

Number of report

2001/1

 

2001 total

 

2000 total

 

Hokkaido

54

2.2%

54

2.2%

89

0.8%

Tohoku

52

2.1%

52

2.1%

121

1.1%

Kanto

1939

79.5%

1939

79.5%

9415

84.8%

Chubu

116

4.8%

116

4.8%

612

5.5%

Kinki

198

8.1%

198

8.1%

628

5.7%

Chugoku

26

1.1%

26

1.1%

80

0.7%

Shikoku

27

1.1%

27

1.1%

35

0.3%

Kyusyu

28

1.1%

28

1.1%

129

1.2%

(4) The following table shows the source of virus. Approximately 95% of total reports said email (including oversea emails) was the most common source.

Source of Virus

Number of report

2001/1

 

2001 total

 

2000 total

 

Via email

1671

68.5%

1671

68.5%

6171

55.5%

Via email from overseas

638

26.1%

638

26.1%

3843

34.6%

Download from network

5

0.2%

5

0.2%

82

0.7%

External medium

40

1.6%

40

1.6%

424

3.8%

External medium (overseas)

1

0%

1

0%

4

0%

unknown

85

3.5%

85

3.5%

585

5.3%

(5) The following table shows the number of PCs infected by viruses. 0 machine indicates that the virus was found either on floppy disks or in a document and was detected before infection occurred.

Number of PCs

Number of report

2001/1

 

2001 total

 

2000 total

 

0

1971

80.8%

1971

80.8%

8927

80.4%

1

412

16.9%

412

16.9%

1610

14.5%

2-4

35

1.4%

35

1.4%

393

3.5%

5-9

10

0.4%

10

0.4%

109

1.0%

10-19

7

0.3%

7

0.3%

32

0.3%

20-49

2

0.1%

2

0.1%

20

0.2%

50 or more

3

0.1%

3

0.1%

18

0.2%

5. Virus Payload Dates

To prevent the spread of virus, please check the special notice on viruses that have payload dates between February 8 and March 31. For more information, please refer to the virus calendar at http://www.ipa.go.jp/security/virus/viruscalendar.html (Japanese)

You should detect and disinfect virus with the latest antivirus software before its payload is triggered, since the disinfection and recovery afterwards could be very difficult (such as losing data etc.)

W97M/Opay: February 14th

W97M/Opey propagates under Microsoft Word (MSWord). This virus works under Japanese and English version of MSWord97/98. However, the infection to .doc files occurs only in English version of Word when a document is created or modified on the infected system. It activates on specific dates, and writes messages to "Autoexec.bat" file about holidays in the Philippines. The message displays on February 14th is "HAPPY VALENTINES DAY!!!".

Computer Virus Incident Reporting Program

The Ministry of International Trade and Industry announced "Computer Virus Prevention Guidelines" to prevent the spread of computer viruses in Japan. IPA was designated to receive the "Computer Virus Damage Report" directly from the infected users to investigate virus problem and to provide monthly statistics. This reporting system started in April 1990. Anyone who has encountered computer virus is supposed to send a virus report with necessary information to IPA to prevent further spread and damage of viruses.

IPA deals with each reporter (user) on an individual basis as a consultant, and also works as a public research institute for antivirus measures by analyzing problems showed on the damage report. Taking reporters' privacy into full consideration, IPA periodically publishes the result of their research and analysis on computer virus incident.

Computer Virus Prevention Guidelines:
- Enactment on April 10, 1990 (release No.139)
- Amendment on July 7, 1995 (release No. 429)
- Amendment on September 24, 1997 (release No. 535)
- Amendment on December 28, 2000 (release No. 952)