Information-technology
Promotion Agency,
Japan
IPA

TOP|Application|Contact us|Sitemap


Information-technology Promotion Agency, Japan
-japanese charactor-






IT Security Center

The Information-technology SEcurity Center (ISEC) is the center for promoting information security in Japan.









Activities




Information Service Activities






Security Software Development Activities






CRYPTREC






IT SecurityAssurance







Organization







PGP key







RFCs







Mission Statement







Links







About IPA/ISEC





Japanese






IPA TOP>IT Security Center Japanese TOP>IT Security Center English TOP>information




Computer Virus Incident Reports



January 10, 2003
 Information-technology Promotion Agency
Security Center (IPA/ISEC)




The worst virus ever !
There were approximately 10,000 reports for W32/Klez in one year !!

1. Computer Virus Incident Reports

This is a  Computer Virus Incident Reports for December 2002 and for the year 2002 compiled by IPA: Information-technology Promotion Agency.

1-1. Annual virus incident report for 2002 -- W32/Klez had the worst number of reports ever --

In 2002, 20,352 reports were submitted to IPA, and the number decreased slightly compared from 2001 having 24,261 reports.
W32/Klez had the worst number reported for 9 consecutive months, having 9,648 reports (approximately 50% of total), which made a single virus to have the worst number of reports ever for a year. This was followed by W32/Badtrans having 3,336 reports and W32/Hybris having 870 reports. 

Shift in number of reports by virus(Dec.2001-Dec.2002)

For more information, please refer to "Computer Virus Detection Incident Reports in 2002"

1-2. December computer virus incident reports

In December, 1,135 reports were submitted to IPA (November: 1,408 reports). The top number of viruses reported were W32/Klez having 465 reports with new variants having subjects such as "Happy Christmas" and "Happy New year", W32/Bugbear having 133 reports, and W32/Opaserv and VBS/Redlof, having 67 reports.

In addition, an alert was announced for a massive spread of virus mail during the year change period since there was a concern, but there was no serious viral damage.

Caution necessary for infection through web page !!

There are viruses, such as VBS/Redlof, where infection is obtained just by browsing a web page. When infected with this virus, infection is spread through ways provided below. 

 *Infected computer will record the virus program in the body of the sending e-mail, hence spreads the infection. 

 *Infects HTML and other files on the computer, and when the infected file is uploaded on the web page without noticing this, infection will spread to people who browse the web page

Especially, there are more cases where one gets infected through browsing a web page, so caution is necessary.




2. Warning for this month : 
  Start virus countermeasure from anti-virus software !!

   ===== In order to use the internet comfortably ! =====

There are various ways for virus infection to happen. The most common type is obtained through attached file on the e-mail, such as W32/Klez and W32/Bugbear. But there are infections obtained from browsing a web page, such as W32/Nimda and VBS/Redlof, and infections obtained from shared network, such as W32/Opaserv.

In order to prevent infection damages through various paths from happening, it is essential to use the anti-virus software with the latest version of virus detecting data file on a constant monitoring setting.

3 steps for anti virus software

1. Must be installed

=== Necessity for countermeasure

2. Appropriate setting 

=== Constant monitoring setting is effective

3. Updating virus detecting data file

=== New virus emerges everyday Update at least once a week !




3. Prevalence Table .

Shift in Number of Report 2000 to 2002.


1) There were 47 kinds of viruses reported in December. (998 reports for Windows/DOS, 136 reports for Macro and Script virus, 3 for Macintosh and UNIX virus.)

(*) indicates new virus in this month.


Windows/DOS Virus

No. of report

Macro virus

No. of report

W32/Klez

465

XM/Laroux

25

W32/Bugbear 

133

XM/VCX.A

13

W32/Opaserv 

67

X97M/Divi

6

W32/Brid 

50

W97M/Ethan

2

W32/Badtrans

48

X97M/Barisada

2

W32/Yaha

40

WM/Cap

1

W32/Nimda

36

WM/Wazuu

1

W32/Magistr

33

W97M/Marker

1

W32/Sircam

31

W97M/Melissa

1

W32/Hybris

27

W97M/Nsi

1

W32/Funlove

15

W97M/Pri

 1

W32/CIH

13

W97M/X97M/P97M/Tristate

1

W32/Frethem

7

 

 

W32/Winevar 

5

Script virus

No. of report

W32/Fbound

4

VBS/Redlof

67

W32/Higuy

4

VBS/Haptime

6

W32/Aliz

3

VBS/LOVELETTER

6

W32/MTX

3

VBS/Netlog

2

Form

2

 

 

W32/Mylife

2

 

 

W32/Myparty

2

Macintosh virus

No. of report

Anti-CMOS

1

AutoStart9805

2

WYX

1

 

 

W32/CodeRed

1

 

 

W32/Gibe

1

UNIX virus

 No. of report

W32/QAZ

 1

Linux/Slapper

1

W32/Ska

1

 

 

W32/Tecata

1

 

 

W32/Zoher

1

 

 


Note: the numbers of reports include reported modified variants

Note: The abbreviation used in the "Name of Virus" are as follows:

WM

MSword95 (WordMacro)

W97M

MSword97 (Word97Macro)

XM/XF

MSexcel95/97 (ExcelMacro/ExcelFormula)

X97M

MSexcel97 (Excel97Macro)

W97M/X97M/P97M

MSword97/MSexcel97/MSpowerpoint97
( Word97Macro/Excel97Macro/PowerPoint97Macro )

W32

Works under Windows32

VBS

Written in VisualBasicScript

Wscript

Works under WindowsScriptingHost (excluding VBS)

Solaris

Works under Solaris

FreeBSD

Works under FreeBSD 

Linux

Works under Linux


2) The following table shows the number of reports sorted by reporting body. Most reports came from "general corporate user" with about 87% of total reports.

Reporting Body

Number of report

2002 December

 

2002 Total

 

2001 Total

 

General corporate user

984

86.7%

15,313

75.2%

17,332

71.4%

Education/Research Institute

20

11.5%

1,914

9.4%

1,286

5.3%

Individual user

131

1.7%

3,125

15.3%

5,643

23.3%


3) The following table shows the number of reports sorted by region. The largest number of reports was from Kanto region, followed by Kinki and Chubu region.

Region

Number of report

2002 December

 

2002 Total

 

2001Total

 

Hokkaido

8

0.7%

311

1.5%

506

2.1%

Tohoku

25

2.2%

534

2.6%

882

3.6%

Kanto

831

73.2%

12,986

63.8%

16,291

67.1%

Chubu

105

9.3%

1,894

9.3%

2,360

9.7%

Kinki

115

10.1%

3,254

16.0%

2,589

10.7%

Chugoku

40

3.5%

365

1.8%

387

1.6%

Shikoku

7

0.6%

151

0.7%

399

1.6%

Kyusyu

4

0.4%

857

4.2%

847

3.5%


4) The following table shows the source of virus by damage reports. The most common case is that being infected by mails including from overseas. The share is 92% among numbers of reporting

Source of Virus

Number of report

2002 December

 

2002 Total

 

2001 Total

 

Via email

775

68.3%

17,107

84.1%

17,790

73.3%

Via email from overseas

275

24.2%

2,660

13.0%

3,791

15.6%

Download from network (*)

12

1.1%

121

0.6%

593

2.4%

External medium

16

1.4%

119

0.6%

655

2.7%

External medium (overseas)

0

0%

4

0%

22

0.1%

Unknown

57

5.0%

341

1.7%

1,410

5.8%


(*) including Web page infection

5) The following table shows the number of PCs infected by viruses.

Number of PCs

Number of report

2002 December

 

2002 Total

 

2001 Total

 

0

1,037

91.3%

18,633

91.5%

19,585

80.7%

1

84

7.4%

1,364

6.7%

3,733

15.4%

2-4

8

0.7%

206

1.0%

528

2.2%

5-9

1

0%

59

0.3%

190

0.8%

10-19

3

0.3%

60

0.3%

93

0.4%

20-49

2

0.2%

23

0.1%

74

0.3%

50 and more

0

0%

7

0%

58

0.2%




4. Virus Payload Dates

To prevent the spread of virus, please check the special notice on viruses that have payload dates between January 10 and February 28.

For more information, please refer to the virus calendar at: 
http://www.ipa.go.jp/security/virus/viruscalendar.html (Japanese)

=W32/Klez (It occurs data 6th every month)
On 6th February, the files in C drive will be destroyed.

= VBS/Haptime (It occurs when the total of month and date is 13)
On January 12 and February 11, the files of which extension is .dll, .exe will be deleted.

Computer Virus Incident Reporting Program
The Ministry of Economy, Trade and Industry announced "Computer Virus Prevention Guidelines" to prevent the spread of computer viruses in Japan. IPA was designated to receive the "Computer Virus Damage Report" directly from the infected users to investigate virus problem and to provide monthly statistics. This reporting system started in April 1990. Anyone who has encountered computer virus is supposed to send a virus report with necessary information to IPA to prevent further spread and damage of viruses.IPA deals with each reporter (user) on an individual basis as a consultant, and also works as a public research institute for antivirus measures by analyzing problems showed on the damage report. Taking reporters' privacy into full consideration, IPA periodically publishes the result of their research and analysis on computer virus incident.
Computer Virus Prevention Guidelines:
- Enactment on April 10, 1990 (release No.139)
- Amendment on July 7, 1995 (release No. 429)
- Amendment on September 24, 1997 (release No. 535)
- Amendment on December 28, 2000 (release No. 952)


 Inquiry: IPA Security Center ( IPA/ISEC )
 ( ISEC: Information technology SEcurity Center )
 TEL:+81-3-5978-7508 FAX:+81-3-5978-7518
 E-mail:
 Emergency call: +81-3-5978-7509  URL: http://www.ipa.go.jp/security/index-e.html


Page Top






Term of Use


Copyright(c) Information-technology Promotion Agency, Japan. All rights reserved 2004