May 11, 2001

ISEC
Information-technology Promotion Agency

@

Computer Virus Incident Reports

1. Computer Virus Incident Reports of April, 2001

This is a summary of Computer Virus Incident Reports of April 2001 compiled by IPA: Information-technology Promotion Agency (President: Shigeo Muraoka).@1236 reports were submitted to IPA in April.@The number seems to be decreasing but it is still 2.6 times more than the number of April, 2000.@Users need continuous attention.

2. Release notes for April

(1) Antivirus program needs to be updated!!@You should update virus pattern file once a week.

Antivirus program consists of virus scanning program (similar to police system) and virus pattern file (similar to wanted list).@Therefore you should update virus pattern file frequently.@

As you can see at figure 1, users who only updated their pattern file a year ago will not be able to detect 3/4 of virus that is reported in April.@Even you updated it half a year ago, you might miss half of total virus.@It is important to update virus pattern file at least once a week.

@@@@@@@Figure-1: first appearance of virus reported in April 2001

Reference: list of pattern file updates for major antivirus vendors

 http://www.ipa.go.jp/security/antivirus/viruspara.html (Japanese)

how to check the version number for pattern files

http://www.ipa.go.jp/security/antivirus/vack.html (Japanese)

2) Be careful about new virus "W32/Magistr".@You should detect and clean the virus before it activates.

@@ There were 59 reports of new virus "W32/Magistr" in April.@This is quite large number for new virus indicating that it is prevalent.@ W32/Magistr spreads via email attachments by obtaining email addresses on Outlook Express address book and by sending infected attachments.

@Once infected, this virus has destructive payload such as erasing data on harddisks and deleting BIOS (repair at store is necessary) in a month.@You should detect and clean virus by using antivirus program before activation.

@Reference: http://www.ipa.go.jp/security/topics/newvirus/magistr.html (Japanese)

BIOS

BIOS means Basic Input/Output System.@BIOS controls data exchange between OS, application and peripheral devices (keyboard, floppy disk drive and harddisks etc.)@It is usually configured as ROM (Read Only Memory).@If BIOS is destructed, PC becomes unbootable.

@Warning for this month

Be careful about attachment that pretends to be harmless date files.

@There are a lot of virus with attachment that pretends to be harmless data files such as text or image.@If you execute these files without checking their icon or name, you will be damaged.@It is the best way to test with antivirus program and make sure they are not infected.

@For your reference, the following is virus attachment that pretends to be harmless date files.@

Harmless date file Virus attachment The name of virus

Text file
LOVE LETTER FOR YOU.TXT
@


LOVE LETTER FOR YOU.TXT.VBS
VBS/LOVELETTER

Sound file
METALICA_SONG.MP3 @


METALICA SONG.MP3.pif @
W32/MTX

Image file
AnnaKournikova.jpg


AnnaKournikova.jpg.vbs
@
VBS/SST

Inquiries:
Security Center
Information-technology Promotion Agency
TEL: (03) 5978-7508
FAX: (03) 5978-7518
E-mail: isec-info@ipa.go.jp
Virus Emergency Call: (03) 5978-7509
http://www.ipa.go.jp/security/

3. Prevalence Table - April 2001

(1) There were 55 kinds of viruses reported during April.@Most common viruses were W32/Hybris (444 reports) and W32/MTX (257 reports).@2 kinds of new viruses, W32/Magistr and Linux/Lion (marked with a "*" sign) were reported to IPA for the first time (Macro and Script viruses: 322 reports, Windows and DOS viruses: 912 reports, Mac virus: 2 reports).

Windows, DOS virus@ No. of report Script Virus@ No. of report
W32/Hybris 444 VBS/LOVELETTER 24
W32/MTX 257 Wscript/Kakworm 20
W32/Magistr(¦) 59 VBS/SST 16
W32/QAZ 33 VBS/Netlog 1
W32/Navidad 31 VBS/Stages 1
W32/Funlove 22 Macro Virus @
W32/Ska 16 XM/Laroux 92
W32/PrettyPark 9 X97M/Divi 72
W32/Msinit 6 XM/VCX.A 26
Form 5 X97M/Barisada 12
W32/CIH 5 W97M/Marker 9
W32/Plage 4 W97M/X97M/P97M/Tristate @8
Anti-CMOS 3 WM/Cap 7
W32/BleBla 3 W97M/Myna 5
W32/Kriz 3 W97M/Ethan 4
AntiEXE.A 2 W97M/Melissa 3
W32/Fix2001 2 XF/Sic 3
W32/Prolin 2 W97M/Assilem 2
Stoned 1 W97M/Bablas 2
Jerusalem.Sunday.A 1 W97M/Chack 2
W32/Marburg 1 W97M/Class 2
YankeeDoodle 1 W97M/Thus 2
Quox.A 1 W97M/Footer 1
@ @ W97M/Groov 1
@ @ W97M/Nsi 1
@ @ W97M/Story 1
UNIX Virus No. of report W97M/Tolose 1
Linux/Lion(¦) 1 W97M/Vmpck1 1
Macintosh virus No. of report WM/Colors@ 1
AutoStart9805 2 WM/Kompu 1
@ @ XM/Compat @1

The abbreviation used in the "Name of Virus" are as follows:

WM MSWord95 (WordMacro)
W97M MSWord97 (Word97Macro)
XM, XF MSExcel95, 97 (ExcelMacro, ExcelFormula)
X97M MSExcel97 (Excel97Macro)
W97M/X97M/P97M MSWord97, MSExcel97, MSPowerpoint97(Word97Macro/Excel97Macro/PowerPoint97Macro)
W32 works under Windows32
VBS written in VisualBasicScript
Wscript works under Windows Scripting Host (WSH) excluding VBS
Linux Works under Linux

(2) The following are brief descriptions of viruses that are reported to IPA for the first time in April

W32/Magistr

This Virus propagates under Win32 systems. It usually spreads via attachment file.@When an infected file is executed, the virus looks for PE files in the system and infects them.@Then the virus sends out the following email to addresses on Outlook Express address book:

Subject: and text body: randomly selected letters
Attachment: randomly selected infected files

After 1 month of infection, contents of CMOS and BIOS and data on harddisks can be destroyed. 

Linux/Lion 

Linux/Lion misuses vulnerability on BIND DIN sever and works on Linux.
Upon infection, the virus sends out password to specific addresses.@Then, the virus modifies the setting of infected machine so that remote login becomes possible by using specific password.@Linux/Lion searches for servers with vulnerability on the internet.@When it finds such servers, virus installs itself and infects to them.

(3) The following table shows the number of reports sorted by reporting body.@Most reports came from "general corporate uses" with about 74% of total reports.

Reporting Body Number of report
2001/4 @ 2001 total @ 2000 total @
General corporate user 915 74.0% 4832 71.9% 9975 89.8%
Education/Research Institute 61 4.9% 326 4.9% 214 1.9%
Individual user@ 260 21.0% 1561 23.2% 920 8.3%

(4) The following table shows the number of reports sorted by region.@The largest number of reports was from Kanto region, followed by Chubu and Kinki region.

Region Number of report
2001/4 @ 2001 total @ 2000 total @
Hokkaido 14 1.1% 128 1.9% 89 0.8%
Tohoku 53 4.3% 226 3.4% 121 1.1%
Kanto 852 68.9% 4909 73.1% 9415 84.8%
Chubu @@@@154 12.9% 533 7.9% 612 5.5%
Kinki 114 @9.2% 643 9.6% 628 5.7%
Chugoku 9 0.7% 77 1.1% 80 0.7%
Shikoku 22 1.8% 94 1.4% 35 0.3%
Kyusyu 18 1.5% 109 1.6% 129 1.2%

(5) The following table shows the source of virus.@Approximately 90% of total reports shows that email (including oversea emails) was the most common source.

Source of Virus Number of report
2001/4 @ 2001 total @ 2000 total @
Via email 894 72.3% 4926 73.3% 6171 55.5%
Via email from overseas 201 16.3% 1268 18.9% 3843 34.6%
Download from network 10 0.8% 26 0.4% 82 0.7%
External medium 56 4.5% 182 2.7% 424 3.8%
External medium (overseas) 1 0.1% 2 0% 4 0%
unknown 74 6.0.% 315 4.7% 585 5.3%

(6) The following table shows the number of PCs infected by viruses.@0 machine indicates that the virus was found either on floppy disks or in a document and was detected before infection occurred.

Number of PCs Number of report
2001/4 @ 2001 total @ 2000 total @
0 1013 82.0% 5374 80.0% 8927 80.4%
1 171 13.8% 1128 16.8% 1610 14.5%
2-4 38 3.1% 149 2.2% 393 3.5%
5-9 10 0.8% 37 0.6% 109 1.0%
10-19 3 0.2% 17 0.3% 32 0.3%
20-49 1 0.1% 10 0.1% 20 0.2%
50 or more 0 0% 4 0.1% 18 0.2%

4. Virus Payload Dates

To prevent the spread of virus, please check the special notice on viruses that have payload dates between May 11 and June 30.@For more information, please refer to the virus calendar at

http://www.ipa.go.jp/SECURITY/virus/viruscalendar.html (Japanese)

You should detect and disinfect virus with the latest antivirus software before its payload is triggered, since the disinfection and recovery afterwards could be very difficult (such as losing data etc.)

W97M/Class 

W97M/Class propagates via Microsoft. Word.@Once you open the infected files, W97M/Class infects MSword.@Whenever you open the infected document on 31st of every month.@PC shows you the following sentence:

This is Class
VicodinES@/CB /TNN

A variant of W97M/Class (Class.D) shows you the following sentence when you close infected document on every 14th between June and December.@

I think (Name of the current user) is a big stupid jerk!
VicodinES Loves You/Class Poppy

Computer Virus Incident Reporting Program

The Ministry of International Trade and Industry announced "Computer Virus Prevention Guidelines" to prevent the spread of computer viruses in Japan.@IPA was designated to receive the "Computer Virus Damage Report" directly from the infected users to investigate virus problem and to provide monthly statistics. This reporting system started in April 1990. Anyone who has encountered computer virus is supposed to send a virus report with necessary information to IPA to prevent further spread and damage of viruses.

IPA deals with each reporter (user) on an individual basis as a consultant, and also works as a public research institute for antivirus measures by analyzing problems showed on the damage report. Taking reporters' privacy into full consideration, IPA periodically publishes the result of their research and analysis on computer virus incident.

Computer Virus Prevention Guidelines:
- Enactment on April 10, 1990 (release No.139)
- Amendment on July 7, 1995 (release No. 429)
- Amendment on September 24, 1997 (release No. 535)
- Amendment on December 28, 2000 (release No. 952)
@