Be Careful
for Dangers Hiding at the Home Page!!
This is a summary of Computer Virus /
Unauthorized Computer Access Incident Reports for June 2004
compiled by IPA
I. Computer Virus Incident Reports
1. Computer Virus incident
Report for the First Half of 2004
The reported numbers for the first half of 2004 is 21,957
which is about 3 times larger numbers compared with
the reported numbers of 7,366 reported in corresponding period
of 2003; the yearly reported numbers of 17,425 in 2003 are exceeded
sky-high as well.
The main causes for the increase are the emergences
of W32/Bagle , W32/Mydoom in
January, W32/Netsky in February and those multiple
variants for the each virus' spread. The reported numbers for
those viruses were 11,324 which resulted more than a half of totally
reported numbers.
Top 3 Reported Viruses in the First
Half
| |
Reported #
|
First Reported
|
Virus' Characteristic
|
| W32/Netsky |
7,571 |
February,
2004 |
More than 29 kinds of variants
emerged in a short period of time. |
| W32/Mydoom |
2,106 |
January, 2004
|
Camouflage attachment file
as an icon of text file. |
| W32/Bagle |
1,647 |
January, 2004
|
Camouflage attachment file
as an icon of electronic calculator. |
2. Status for Computer
Virus Incident Report in June
The reported numbers in June were 5,422 which
is high level of movement from 5,439 which had been marked in
May. In addition, the reported numbers of 5,422 in June were the
result aggregated from the totally be detected numbers of 3,334,000
viruses reported. (Here in IPA, upon aggregation of reported virus
counts, same kind and its variants reported in a same day are
counted as 1 case even how many are found by a same filer in a
same day.)
The reported numbers for W32/Netsky
Virus was 1,875 for which more than
1,000 continually be reported for 1,984 in May. It can be easily
seen that the virus' spread still widely remains following the
previous months. W32/Bagle for 502 and W32/Klez for 362 still
follow.
(1) Virus Mail Widespread Remains!!
According to the detected numbers reported to
IPA, W32/Netsky virus accounts for about 90% of the gross
detected numbers of virus ; the status for spreading
still remains.
Even if the small number of computers are infected, a massive
amount of virus mails likely to be sent out. There are many cases
to become the source of virus mails without realizing; if you
detect something different, i.e.; your computer performs slower
than before; please check if your computer is infected or not
by utilizing anti-virus software.
Trend Micro On-Line Scan (in Japanese)
http://www.trendmicro.co.jp/hcall/scan.htm
Symantec Security Check (in Japanese)
http://www.symantec.com/region/jp/securitycheck/index.html
McAfee Free Scan (in Japanese)
http://nai.com/japan/mcafee/home/freescan.asp
(2) A New Virus W32/Zafi
Emerged !!
A new virus, W32/Zafi which infects through
attachment files to e-mails emerged in June. This virus exploits
already existed mail functions and infects your computer
upon opening your attachment files to e-mails .
When infected, the virus collects e-mails addresses within the address
book and then send out virus attached e-mails to all collected
addresses . In addition, the virus overwrites the
anti-virus programs so that the program will no longer
be available to execute. As a result, the virus cannot be detected
by the anti-virus software after your computer is infected.
If you utilize the anti-virus software
being updated to the latest , you can detect every virus
before infected so that you can prevent damages on an attempting
stage. In case you receive suspicious e-mails and its title is written
in English, it is important to conduct prevention measures i.e.;
do not open the attachment files and check utilizing anti-virus
software, etc.
If infected, it is necessary to remove viruses
utilizing virus removal tool provided at the following site.
Information with regard to the “W32/Zafi” virus variants (including
introduction for the removal tool) (in Japanese)
http://www.ipa.go.jp/security/topics/newvirus/zafi.html
II. Reporting Status for Unauthorized
Computer Access
1. Reporting Status for
the First Half of 2004
The reported numbers for the first half of 2004 is 325
which increased about 56.3% from 208 with which marked in the corresponding
period in the previous year.
However, the reported numbers for damage
is 36 which decreased about 44.6% comparing with 65 which
marked in the corresponding period in the previous year. Break down
for the damage are; 18 for intrusion, 3 for unauthorized mail relay,
4 for source address spoofing, 4 for DoS or denial of Service attack
and 7 for others.
The most frequently
reported cause for such damages is “Inadequate ID or Password
management” . ID or Password management is the most essential
countermeasures, but the most overlooking measures as well. Thus,
individual users and system administrators should re-confirm if
adequate measures are in place.
2. Status for Reported Unauthorized
Computer Access in June
The reported numbers in June is 52 for which
decreased 45.8% compared with 96 reported in May. Report for Access
Attempt decreased 47 from 88 for which reported in May and the
report for damage is also decreased 4 from 6 reported
in May. Break down for the damage are; 1 for intrusion, 1 for source
mail address spoofing and 2 for DoS or denial of service attack.
From June 24, it has been reported that malicious
program is being downloaded without users' realizing by hosting
Web Servers including malformed JavaScript Codes. System administrators
should conduct appropriate measures by applying modification programs,
etc. so that those managed Servers should not be exploited as steppingstones
for such viruses. In addition, those users who use Internet Explorer
should conduct countermeasures by changing Internet Explorer settings
as well.
“With regard to vulnerabilities for SSL
Library in Microsoft IIS” (in Japanese)
http://www.ipa.go.jp/security/ciadr/vul/20040426-ssl.html
III. Reminder for this Month: “Be
Careful for Dangers Hiding at the Home Page!!”
Conduct Appropriate Countermeasures before Having Damages!!
We have many consultations which likely to be damages caused
by browsing Home Pages as follows:
- Internet Explorer starting page
has been changed to suspicious searching site or English written
pages.
- Only one way left is to initialize
computer after variety of restoration measures did not work out
in vain as 10 or more kinds of Trojan Horses or malicious programs
were being downloaded without realizing.
As with the case, it is very difficult to
restore your computer after certain damage is realized. In addition,
it is reported in some cases that some virus exploits Internet Explorer
vulnerabilities for which certain Windows Update is not being provided
as described above. It is necessary to conduct prevention
measures in parallel as follows:
- Apply security patches (modification programs)
in basic OS, browser, etc.
- Install anti-virus software
- Change browser settings
As for basic security measures are;
- Do not download/execute any programs without
cautiousness even they are published as handy tool or software
if they are onto trustless site
- Do not browse suspicious site
- Do not click to any links onto Home Page
address (link) described in Home Page or e-mail
They are the principles to abide protecting
your computer from viruses. These damages reported here are caused
by malicious programs, etc. which exploits Web browser functions
such as Internet Explorer, etc. Therefore, it is likely to prevent
damages to set these functions to be “Disable”
as the example shown below.
Example of Internet Explorer
Setttings
Reference
“Enhancing security for browsing function and
e-mails” (Microsoft) (in Japanese)
http://www.microsoft.com/japan/security/incident/settings.mspx
The details are as follows;
- Computer virus Incident
Report [Details]
- Unauthorized Computer Access
Incident Report [Details] |
Japanese