March 8, 2001
Information-technology Promotion Agency

　Computer Virus Incident Reports

1. Computer Virus Incident Reports of February, 2001

This is a summary of Computer Virus Incident Reports of February 2001 compiled by IPA: Information-technology Promotion Agency (President:: Shigeo Muraoka).

• Outline
  After three consecutive months of over 2000 monthly reports, it finally dropped down to less than 2000, which was 1567 reports this month. Perhaps this is because users became to pay enough attention to email attachments. However, this number is 4 times more than that of last February, and we can't really say that the virus problem has been settled.

  46 kinds of virus were reported in February. There were 2 kinds of new viruses: VBS/SST and W32/BleBla.

2. Release notes for February

(1) Careless click on email attachment is the most significant source of virus damage.

It is unsafe to click on email attachment without virus check. 92% of total reports shows that email is a source of virus. Users should pay enough attention to email attachments.

W32/Hybris		W32/MTX	W32/Navidad
randomly selected 8 alphabet letters + .EXE	1 out of 31 different file names is selected by worm depending on the current date		it can be "Navidad.exe

Reference: The list of 5 instructions when opening attachment files
http://www.ipa.go.jp/security/english/virus/press/200007/E_attach52.html

(2) Careless click on websites may cause various troubles.
- You may get charged for international phone calls that you didn't remember to make --

We receive many inquiries from troubled users who executed some programs they downloaded from dubious websites. The followings are the examples of problems that may happen by clicking messages on suspicious websites. Users must be very careful when doing so.

• Users are unknowingly connected to Dial Q2 (telephone information service charged to the caller) or international telephone lines, and then receive outrageous phone bills later.
• Unwanted PR or advertisement is automatically attached to outgoing email.
• Information on hard disks is stolen, damaged or read
• PC is controlled remotely by third parties.

You should avoid visiting websites that only shows ID number, or URLs on direct order mail/spam.

Reference: Destruction Caused by Careless Download
http://www.ipa.go.jp/security/english/virus/press/200007/E_malicious2.html
Measures against threat on web surfing and email for end users
http://www.ipa.go.jp/security/ciadr/cm01.html#user (Japanese)

Warning for this month
"A virus victim could be a virus sender!!"

Once you get infected by virus, you might become virus distributor in the next minute. Some viruses automatically attach themselves to outgoing email as an attachment. You could become virus sender if you don't update your antivirus program properly.

You need to have proper security measures so that you don't become a victim or an attacker.

2000 Survey on corporate anti-virus status （IPA）


3. Prevalence Table - February 2001

(1) There were 46 kinds of viruses reported during February. Most common viruses were W32/Hybris (575 reports) and W32/MTX (405 reports). 2 kinds of new viruses, VBS/SST and W32/BleBla (marked with a "*" sign) were reported to IPA for the first time (Macro and Script viruses: 377 reports, Windows and DOS viruses: 1190 reports, Mac virus: 0 report).

Note)

The abbreviation used in the "Name of Virus" are as follows:

(2) The following are brief descriptions of viruses that are reported to IPA for the first time in February:

VBS/SST

VBS/SST propagates via email attachment file. Once executed, the virus copies itself in Windows directory (usually in C:\windows\) as a file named "AnnaKournikova.jpg.vbs". Then the virus sends itself as an email attachment to all addresses on the address book. The email looks like below:

Subject: Here you have, ;o)
Body: Hi Check This!
Attachment: AnnaKournikova.jpg.vbs

W32/BleBla

W32/BleBla exploits InternetExplorer volenrability. This virus propagates via email in html form with 2 attachments named "xjuliet.chm" and "xromeo.exe". When an infected message is previewed by Outlook Express or opened by Outlook, the virus copies "xjuliet.chm" and "xromeo.exe" files into Windows\Temp folder (usually C:\Windows\Temp). Then it executes "xjuliet.chm" by using HTML help function. After this .chm file is executed, the main virus body, "xromeo.exe", is executed.

Then, the virus copies itself to C:\windows folder as the file named "sysrnj.exe". W32/BleBla also modifies registry so that the virus is executed when the files with .doc, .xls, .jpg, and .zip extention is opened. When these files are opened, the virus deletes the original file, and copies itself by adding ".exe" to the original file name.

For example:
abcd.doc -> deleted -> abcd.doc.exe

The exe file (application) is made unusable. The virus sends the following email to all addresses on the address book:

Subject: Romeo&Juliet (or others. It is chosen randomly from 18 different kinds of subject lines.)
Body: none (empty)
Attachment: xjuliet.chm, xromeo.exe

(3) The following table shows the number of reports sorted by reporting body. Most reports came from "general corporate uses" with about 69% of total reports.

(4) The following table shows the number of reports sorted by region. The largest number of reports was from Kanto region, followed by Kinki and Chubu region.

(5) The following table shows the source of virus. Approximately 92% of total reports said email (including oversea emails) was the most common source.

(6) The following table shows the number of PCs infected by viruses. 0 machine indicates that the virus was found either on floppy disks or in a document and was detected before infection occurred.

4. Virus Payload Dates

To prevent the spread of virus, please check the special notice on viruses that have payload dates between March 8 and April 30. For more information, please refer to the virus calendar at

You should detect and disinfect virus with the latest antivirus software before its payload is triggered, since the disinfection and recovery afterwards could be very difficult (such as losing data etc.)

W97M/CIH: April 26th

W32/CIH is a Win32 virus that infects PE exe files(*) of Windows95/98. When an infected file is run, the virus will stay resident in memory and will infect every program file that is run. After the system is infected, W32/CIH overwrites the start-up section of the hard disk with garbage data and makes the computer unable to access the hard disk.

If the machine uses the Intel 430TX chipset or its compatible chipsets, the virus overwrites the boot section of BIOS ROM with garbage data and destroys its content, making the computer unusable.

The variants of W32/CIH activate on April 26th, June 26th or 26th of every month.

((*) PE exe files: PE stands for Portable Executable. It is a new form of exe programs that offers less processing time and more extensibility.)

For questions, please contact:
Office of Computer Virus Countermeasures (OCVC)
Information-technology Promotion Agency
TEL: (03) 5978-7508
FAX: (03) 5978-7518
E-mail: isec-info@ipa.go.jp
Virus Emergency Call: (03) 5978-7509
URL: http://www.ipa.go.jp/security/