HOME >> IT Security >> information
Computer Virus / Unauthorized Computer Access Incident Report [Summary]
May 25, 2004
Information-technology Promotion Agency, Japan (IPA)
IT Security Center
W32/Netsky Virus Remains to Spread!!
This is a summary of Computer Virus / Unauthorized Computer Access Incident Reports for April 2004 compiled by IPA
1. Computer Virus Incident Reports
In April, 4,028 reports were submitted to IPA which still remains high level of movement as 4,012 reports recorded in March.
Of 1,767 reports is for W32/Netsky which surpassed 1,000 reports; such event is continued since when 1,795 reports recorded in March. Then 314 reports for W32/Klez and 265 reports for W32/Bagle follow.
W32/Netsky Virus Remains to Spread!!
In April, many W32/Netsky variants (Netsky.D, Netsky.P and Netsky.Q) are reported similar to the one reported in March. Other than those, new variants have emerged; as of May 10, up to Netsky.AC was realized; the variants' numbers are currently counted over 26.
Following table shows the characteristics of the 3 variants most frequently reported (Y represents possession and N represents none).
| Penetration Path | Activities after being Infected | ||||
|---|---|---|---|---|---|
| Attachment files to e-mail *1 | Security hole exploit *2 | Infection by P2P *3 | Send virus mail *4 | DoS Attack *5 | |
| Netsky.D | Y | N | N | Y | N |
| Netsky.P | Y | Y | Y | Y | N |
| Netsky.Q | Y | Y | N | Y | Y |
- *1 Virus is being sent as an attachment file to e-mail; infected upon opening the attachment file.
- *2 If security hole has not been fixed, an attachment file will be executed automatically and then infected.
- *3 Utilize P2P [1] applications; i.e. KaZaA, etc. and then infected.
- *4 Virus mails will automatically be sent to the addresses existed in your computer.
- *5 Perform DoS [2] Attack to specific Web sites.
[1] P2P ((Peer to Peer): One of
communication style which connects computer to computer directly
to export/import its own information back and forth.
[2] DoS Attack (Denial of Service):
once the attack is performed, your computer or network is unable
to use.
Some of W32/Netsky variants exploit security holes of Internet Explorer or perform DoS attack; they added worse functions.
In April, another security hole is found within Outlook Express, there might be possible to emerge new virus which exploits that security hole.
Unless you don't counter measures, you will suffer damage without realizing it. Therefore it is strongly recommended to counter measures described below by utilizing Windows Update to fix security holes, etc.
- i) Install anti-virus
software which is the first step to counter virus;
- “Information for anti-virus software”
(in Japanese)
http://www.ipa.go.jp/security/antivirus/vacc-info.html
- “Information for anti-virus software”
(in Japanese)
- ii) Fix security holes by utilizing Windows Update;
- “Windows Update (Microsoft)” (in Japanese)
http://windowsupdate.microsoft.com/
- “Windows Update (Microsoft)” (in Japanese)
- iii) Do not open suspicious mails;
Be cautious those mails whose subject written in English or those mails from unknown sender.
- “5 tips how to handle attachment files to e-mails” (in Japanese) http://www.ipa.go.jp/security/antivirus/attach5.html
2. New Worm “W32/Sasser” Has Emerged!!
Fix Security Holes Immediately!!
In April, existence of very critical security holes on Microsoft's OS and application software was announced by Microsoft themselves. There are some security holes in those programs contained in multiple OSs including Windows XP and Windows 2000 ; once such security holes are exploited, there might be possible to encounter such damage; i.e. arbitrary codes will be executed by the attacker, etc.
On May 1, new “W32/Sasser” worm emerged. Sasser exploits one of the above security holes and infects your computer if it is connected to the Internet even you are neither receiving e-mails nor looking at Home Pages. In addition, some programs which exploit against another security holes have emerged. Therefore, Windows' users should fix security holes now by applying Windows Update or modification programs.
Security Alerts Released by IPA from April
- “Information with regard to newly emerged worm
W32/Sasser” (in Japanese)
http://www.ipa.go.jp/security/topics/newvirus/sasser.html - “Multiple Vulnerabilities in Windows product
line” (in Japanese)
http://www.ipa.go.jp/security/ciadr/vul/20040414-ms04-011.html - “With Regard to Vulnerability in Microsoft SSL
Library” (in Japanese)
http://www.ipa.go.jp/security/ciadr/vul/20040426-ssl.html - “Multiple Vulnerabilities in Windows RPC/DCOM”
(in Japanese)
http://www.ipa.go.jp/security/ciadr/vul/20040414-win_rpcdcom.html - “Vulnerabilities with Regard to Outlook Express
and Internet Explorer MHTML URL Process” (in Japanese)
http://www.ipa.go.jp/security/ciadr/vul/20040414-oe_mhtmlurl.html
In addition, Cisco has also announced that there are some critical security holes in Cisco product Line, so protection measures should be taken immediately by applying modification program or mitigation.
Security Alerts Released by IPA on April 21
- “Vulnerability with Regard to Procedures for
SNMP Message in Cisco IOS” (in Japanese)
http://www.ipa.go.jp/security/ciadr/vul/20040421-cisco_snmp.html
3. Status for Reported Unauthorized Access
Reported numbers in April is 55 cases that is also a high rate movement which reported 57 cases in March. However, the number of damage reports is 6 for April which slightly lessened from 8 cases reported in March. The break-down are; 3 for penetration, 1 for DoS (Denial of Service), 1 for spoofing e-mail address and 1 for others (damage by malicious program).
Be Cautious Against Malicious programs that are Hidden in Home Pages!!
Nowadays, following consultations to IPA that “The starting page for Internet Explorer is recently changed to an adult site”, “there exist unfamiliar icons onto desktop screen” and “when reboot computers, same symptoms exist even after resetting to default or deleting suspicious icons” are increased.
The cause for such symptoms is that there might be downloaded malicious programs which tamper currently using browser settings forcibly. When you conduct the following actions, you might suffer damage:
- (1)Have clicked to Home Page address described into e-mail body or e-bulletin and browsed suspicious Home Pages:
- (2)Have clicked to “Yes” or “OK” buttons within adult site, etc.
In case you encounter such damage, the only solution left is to initialize your computer; as many cases, it is probably impossible to find malicious programs with your eyes. This is because only those who trapped such malicious programs know what program is trapped, where program is trapped or how the settings are tampered.
You can lessen to encounter possible damage by implementing following protection measures in parallel.
- Apply security patches (modification program) of basic OS, browser;
- Security settings onto browser;
- Install anti-virus software.
As for general security measures otherwise;
- DO NOT download/execute any programs without cautiousness even they are published as useful tool or software onto trustless site;
- DO NOT browse suspicious site;
- DO NOT click on any links in Home Page easily.
It is important to observe above mentioned principles to protect your computer from any of viruses or unauthorized access.
Reference
- “Security measures against any risks with regard
to Web surfing and utilizing e-mails by individual users” (in Japanese)
http://www.ipa.go.jp/security/ciadr/cm01.html#user
4. Reminder for This Month : “You are not Overlooking Virus Infection, are You?”
There Exist Many Viruses that Possess Unseeable Symptoms!!
Most of viruses currently spreading possess such characteristics that its symptoms are not seeable from computer screen. Therefore, you may become the source for virus mail and spread virus mails to your friends without knowing that your computer is infected with viruses.
Even if you do not have any thing to be aware of, your computer may be infected with viruses. It is recommended to reconfirm if your computer is being infected or not.
How to Check
Check your computer utilizing anti-virus software for which virus detection data file is updated to the latest version.
- Information for anti-virus software (in Japanese)
http://www.ipa.go.jp/security/antivirus/vacc-info.html
Utilize virus checking service (free of charge) on-line - Virus buster online scan (in Japanese)
http://www.trendmicro.co.jp/hcall/scan.htm - Security Check (in Japanese)
http://www.symantec.com/region/jp/securitycheck/index.html -
The details are as follows;
Contact
Information-technology Promotion Agency, IT Security Center (IPA/ISEC)
Tel:+81- 3-5978-7508
Fax:+81- 3-5978-7518
E-mail: 