| W32/Netsky
Virus's Variants Have being Spread All Over!
This is a summary of Computer Virus /
Unauthorized Computer Access Incident Reports for March 2004
compiled by IPA
1. Computer Virus Incident Reports
In March, 4,012 reports were
submitted to IPA, which resulted 2 times higher rate* compared with
the one submitted in February (1,733). Of 1,795 cases
are for W32/Netsky (Reported more than 1,000 cases
is the first time since when 1,062 cases for W32/Klez emerged in
August, 2002.), 479 cases for W32/Mydoom and 346 cases for W32/Klez
follow.
W32/Netsky Virus's Variants Have being
Spread All Over!
In March, many cases were reported and most of
them are related to W32/Netsky Variants (Netsky.D,
Netsky.P, Netsky.Q). Particularly, damages by Netsky.Q, the
newly emerged virus, are significantly enlarged upon its appearance
(See following graph with regard to the status for detection by
IPA.).
Be Cautious
not being a Part Who Performs DoS(Denial of Service) Attack by Netsky.Q
If you start those machines infected by Netsky.Q
within the periods from April 8 to 11, 2004, a DoS Attack would
be performed against some Web sites. It is, therefore, strongly
recommended to confirm whether your machine is being infected or
not before you start your machine to ensure not being the source
of DoS attack (s).
* IPA receives the computer virus detection/damage
reports based on the Computer Virus Prevention Guidelines. To reflect
such data to be instantiated, the reporting format has partially
been changed to fill easier and IPA asked companies and home users
widely to file the reports, which resulted in the increase of the
number of reports.
Please note that the reported
numbers are counted as 1 case per virus per day, regardless how
many viruses are detected a day; the reported number 4,012 for this
month is the consequence of summarizing the detected virus numbers
of about 294,000.
Netsky.Q will expand its infection
through attachment file. When you open files attached to
the mails which masqueraded as error messages (see the figure underneath.),
the virus mainly performs the following actions;
- Spread over virus mails
to the existed addresses within your PC (address book,
etc.)
- DoS attack (Denial
of Service) will be performed to some Web sites from the
periods of April 8 – 11
- Generate Beeping
sound on and off periodically which
is the very rare phenomenon
2.
Unauthorized Computer Access Incident Report
57 reports
were submitted to IPA, which resulted 1.5 times higher rate compared
with those reported in February (37). In addition, the number
of damaged reports was 8 , which 2 times higher
compared with the one reported in February (4). Among them,
7cases were intrusion and 1 case was unauthorized mail relay.
Of cases with regard to
damage, followings are the significantly be noted.
Due to the use of easily assumable account name
and password, some of program files within application servers were
deleted and such programs were no longer available.
As the patch needed for Windows 2000 Server has
not been applied and Windows Update has not been conducted, application
servers were used for publication/distribution of unauthorized files.
Due to allow relaying to any domains other than
their own domains, mail servers were used as stepping-stones sending
advertising mails.
The Key Principles are “Multiple
Protections” and “Least Authorization”!
The key principles to protect against unauthorized
access are multiple protections and least
authorization . With regard to ID/password setting
and its administration, removal of security holes, adequate access
limitation, if there are any of security flaws, you might confront
to unauthorized access/damage incidentally. In addition,
it is important to provide least authorization only to the limited
person on need to know basis.
It is suggested that system administrators should
re-confirm that such countermeasures are properly being provided.
“Home Pages designed for System Administrators
with regard to Actual Countermeasures for IT Security” (in Japanese)
http://www.ipa.go.jp/security/awareness/administrator/administrator.html
3. Reminder for April: “Does
your anti-virus software sufficiently counter to unidentified viruses?”
-- It works, but do not overly confide!
–
To use an anti-virus software is effective to countermeasure
against viruses. However, it is apparent that an anti-virus
software has a limitation to counter every virus instantly, as one
example of consultation to IPA such as “Viruses have
not been detected even the anti-virus software is always updated
to the latest version, but infected upon opening of attached files
of e-mail” shows. There might be a time range that
an anti-virus software cannot detect newly emerged viruses,
even virus detection data is being updated to the latest version.
It is recommended to follow the tips underneath
that will work out to avoid damage from virus infections as supplement
to anti-virus software.
- Do not open suspicious e-mails
even any virus is not detected; an anti-virus software might be
unable to detect any virus newly emerged.
- If the body of e-mail is uncertain,
do not open its attached files; it is danger to open such files
to confirm.
- Do not open and delete immediately
any e-mails that cannot be identified; it is unnecessary to open
them.
In addition to the above mentioned, such countermeasures
as utilization of your anti-virus software effectively (by updating
virus detection data, setting of real time protection), and elimination
of security holes by Windows Update, etc. can ensure higher security.
We recommend that you conduct the integrated countermeasures for
viruses.
Information with regard to anti-virus softwares
(in Japanese)
http://www.ipa.go.jp/security/antivirus/vacc-info.html
Windows Update (Microsoft)
http://windowsupdate.microsoft.com/
The details are as follows;
- Computer virus Incident
Report [Details]
- Unauthorized Computer Access
Incident Report [Details] |
Japanese