Computer Virus Incident Reports

This is a summary of Computer Virus Incident Reports of March 2001 compiled by IPA: Information-technology Promotion Agency (President: Shigeo Muraoka).

We received inquires from the increasing number of PC beginners who were infected by virus as soon as they started email exchange.
Among 1476 reports, the percentage of actual infection was 20.6%. However, it increases to 30.6% when it is limited to individual users only. They tend to have higher possibility of actual infection.

The effective antivirus method for PC beginners is "Do not touch the attached files".

In many cases, when you get infected by virus you wouldn't notice the fact because there wouldn't be much noticeable indication of infection. However, if you are left infected, you will become source of virus distribution by sending out infected emails to your friends and third parties you don't know. They might misunderstand and think you are sending out viruses intentionally. Therefore you should take personal responsibility for antivirus practice.

Once you are infected, you may need to go through many steps to clean and restore your system such as reinstallation etc. However, it would be much easier if it is before you touch the attachment files; you just have to delete the file. To avoid infection caused by careless mistakes when dealing with the attachment, you should delete the whole email message and do not "touch" the attachment file directly.

This is not the case for image or graphics data that you know for sure that they are safe and clean to execute. But there are actually some viruses that pretend to be image data. It is always safe to check the file with antivirus program before opening them.

The following describes basic antivirus information and methods:

< Easy-to-understand antivirus information for PC beginners >

For questions, please contact:
Office of Computer Virus Countermeasures (OCVC)
Information-technology Promotion Agency
TEL: (03) 5978-7508
FAX: (03) 5978-7518
E-mail: virus@ipa.go.jp
Virus Emergency Call: (03) 5978-7509
URL: http://www.ipa.go.jp/security/

(1) There were 50 kinds of viruses reported during March. Most common viruses were W32/Hybris (557 reports) and W32/MTX (359 reports). 2 kinds of new viruses, W32/Cabanas and X97M/Remeel (marked with a "*" sign) were reported to IPA for the first time (Macro and Script viruses: 399 reports, Windows and DOS viruses: 1077 reports, Mac virus: 0 report).

(2) The following are brief descriptions of viruses that are reported to IPA for the first time in March

X97M/Remeel propagates under Microsoft Excel (MSExcel). When an infected document is opened, the virus creates an infected file called "personal.xls" in XLStart directory. Once the system is infected, every document that is created or modified on infected MSExcel thereafter becomes infected when the document is closed. There is no payload. This virus works under MSExcel97/2000.

This virus propagates under Win32 system. When an infected file is executed, the virus infects the executable files with .exe extension or in SCR PE format in Windows directories, system directories and current directories. The size of an infected file will be multiple number of 101. There is no payload. This virus works under windows 95/98/ME/NT/2000.

(3) The following table shows the number of reports sorted by reporting body. Most reports came from "general corporate uses" with about 71% of total reports.

(4) The following table shows the number of reports sorted by region. The largest number of reports was from Kanto region, followed by Kinki and Chubu region.

(5) The following table shows the source of virus. Approximately 92% of total reports shows that email (including oversea emails) was the most common source.

(6) The following table shows the number of PCs infected by viruses. 0 machine indicates that the virus was found either on floppy disks or in a document and was detected before infection occurred.

To prevent the spread of virus, please check the special notice on viruses that have payload dates between April 6 and May 30. For more information, please refer to the virus calendar at

You should detect and disinfect virus with the latest antivirus software before its payload is triggered, since the disinfection and recovery afterwards could be very difficult (such as losing data etc.)

W32/CIH is a Win32 virus that infects PE exe files(*) of Windows95/98. When an infected file is run, the virus will stay resident in memory and will infect every program file that is run. After the system is infected, W32/CIH overwrites the start-up section of the hard disk with garbage data and makes the computer unable to access the hard disk.
If the machine uses the Intel 430TX chipset or its compatible chipsets, the virus overwrites the boot section of BIOS ROM with garbage data and destroys its content, making the computer unusable.
The variants of W32/CIH activate on April 26th, June 26th or 26th of every month.
((*) PE exe files: PE stands for Portable Executable. It is a new form of exe programs that offers less processing time and more extensibility.)

Computer Virus Incident Reporting Program

The Ministry of International Trade and Industry announced "Computer Virus Prevention Guidelines" to prevent the spread of computer viruses in Japan. IPA was designated to receive the "Computer Virus Damage Report" directly from the infected users to investigate virus problem and to provide monthly statistics. This reporting system started in April 1990. Anyone who has encountered computer virus is supposed to send a virus report with necessary information to IPA to prevent further spread and damage of viruses.

IPA deals with each reporter (user) on an individual basis as a consultant, and also works as a public research institute for antivirus measures by analyzing problems showed on the damage report. Taking reporters' privacy into full consideration, IPA periodically publishes the result of their research and analysis on computer virus incident.

Computer Virus Prevention Guidelines:

- Enactment on April 10, 1990 (release No.139)
- Amendment on July 7, 1995 (release No.429)
- Amendment on September 24, 1997 (release No.535)
- Amendment on December 28, 2000 (release No.952)

For questions, please contact:
Office of Computer Virus Countermeasures (OCVC)
Information-technology Promotion Agency
TEL: (03) 5978-7508
FAX: (03) 5978-7518
E-mail: isec-info@ipa.go.jp
Virus Emergency Call: (03) 5978-7509
URL: http://www.ipa.go.jp/security/

Windows, DOS virus	No. of report	Script Virus	No. of report
W32/Hybris	557	VBS/SST (*)	93
W32/MTX	359	Wscript/Kakworm	23
W32/Navidad	35	VBS/LOVELETTER	16
W32/Funlove	27	VBS/Stages	7
W32/QAZ	22	Macro Virus
W32/BleBla	16	XM/Laroux	93
W32/Ska	16	X97M/Divi	66
W32/CIH	11	W97M/Marker	21
W32/Msinit	7	W97M/X97M/P97M/Tristate	16
W32/PrettyPark	5	W97M/Class	10
Form	5	XM/VCX.A	6
WYX	3	X97M/Barisada	6
W32/Kriz	3	W97M/Myna	6
W32/Plage	2	WM/Cap	5
AntiCMOS	2	W97M/Thus	5
NYB	1	W97M/Bablas	4
AntiEXE.A	1	W97M/Opey	4
J&M.A	1	W97M/Story	4
Peter	1	XF/Sic	2
W32/Cabanas (*)	1	W97M/Ethan	2
W32/Fix2001	1	W97M/Panther	2
W32/Prolin	1	X97M/Remeel (*)	1
		W97M/Chack	1
		W97M/Groov	1
		W97M/Melissa	1
		WM/Npad	1
		W97M/Pri	1
Macintosh Virus		W97M/Proverb	1
none		W97M/Vmpck1	1

WM	MSWord95 (WordMacro)
W97M	MSWord97 (Word97Macro)
XM, XF	MSExcel95, 97 (ExcelMacro, ExcelFormula)
X97M	MSExcel97 (Excel97Macro)
W97M/X97M/P97M	MSWord97, MSExcel97, MSPowerpoint97 (Word97Macro/Excel97Macro/PowerPoint97Macro)
W32	works under Windows32
VBS	written in VisualBasicScript
Wscript	works under Windows Scripting Host (WSH) excluding VBS

Reporting Body	Number of report
Reporting Body	2001/3		2001 total		2000 total
General corporate user	1041	70.5%	3917	71.4%	9975	89.8%
Education/Research Institute	75	5.1%	265	4.8%	214	1.9%
Individual user	360	24.4%	1301	23.7%	920	8.3%

Region	Number of report
Region	2001/3		2001 total		2000 total
Hokkaido	22	1.5%	114	2.1%	89	0.8%
Tohoku	65	4.4%	173	3.2%	121	1.1%
Kanto	1079	73.1%	4057	74.0%	9415	84.8%
Chubu	102	6.9%	379	6.9%	612	5.5%
Kinki	144	9.8%	529	9.6%	628	5.7%
Chugoku	15	1.0%	68	1.2%	80	0.7%
Shikoku	17	1.2%	72	1.3%	35	0.3%
Kyusyu	32	2.2%	91	1.7%	129	1.2%

Source of Virus	Number of report
Source of Virus	2001/3		2001 total		2000 total
Via email	1223	82.9%	4032	73.5%	6171	55.5%
Via email from overseas	128	8.7%	1067	19.5%	3843	34.6%
Download from network	7	0.5%	16	0.3%	82	0.7%
External medium	40	2.7%	126	2.3%	424	3.8%
External medium (overseas)	0	0%	1	0%	4	0%
unknown	78	5.3%	241	4.4%	585	5.3%

Sources of Infection, March 2001	91.5% of total reports in March indicate that Email is the source of infection. Among these, about 98% means email attachments. You should be careful enough and check the attachment file with antivirus program before opening them, even though they are sent from someone you know.

Number of PCs	Number of report
Number of PCs	2001/3		2001 total		2000 total
0	1172	79.4%	4361	79.5%	8927	80.4%
1	253	17.1%	957	17.5%	1610	14.5%
2-4	40	2.7%	111	2.0%	393	3.5%
5-9	5	0.3%	27	0.5%	109	1.0%
10-19	2	0.1%	14	0.3%	32	0.3%
20-49	4	0.3%	9	0.2%	20	0.2%
50 or more	0	0%	4	0.1%	18	0.2%