The reported number [1] in March was 4,846 , an increase of 16.8%, compared with 4,150, reported in February. The virus detection number [2] was about 2,620,000 , also an increase of 6.5%, compared with about 2,460,000 reported in February.

The reported number for W32/Netsky was 1,262 . Each of the past 13 months running has exceeded a count of 1,000 or more. (W32/Bagle with 484 and W32/Mydoom with 399 subsequently followed.)

New Virus – W32/Mytob Emerged!!

Regarding the W32/Mytob virus which was initially reported in March; more than 20 kinds of variants emerged only approximately a month after its initial emergence. In addition to the enlargement function through the attachment file to e-mail, this virus infects by exploiting security holes in Windows if you simply connect your computer to the network . Further, it has the following features:

• Creates a backdoor to infected computers to allow operation from outside ;
• Disables ability to browse Home Pages for security vendors';
• Exploits security holes so that your computer will be infected simply by connecting to the Network .

[1] Reported Number:

Virus counts are aggregated: viruses of the same type and variant reported on the same day are counted as one case number regardless of how many viruses or the actual number of the viruses are found by the same filer on the same day.

[2] Detection Number:

Reporting virus counts (cumulative) found by a filer: For March, the reported number resulted in 4,846 upon aggregation of virus detection counts marked about 2,620,000.

Example: W32/Mytob Virus Mail Reception Screen

Precautionary Measures for Infection:

To prevent infection from the W32/Mytob virus , the following precautionary measures such as “ do not open suspicious attachment files ”, “ keep/utilize anti-virus software in up to date condition ” and “ solve security holes ( conduct Windows update )” are necessary.

• Information relevant to anti-virus software (in Japanese)
  http://www.ipa.go.jp/security/antivirus/vacc-info.html
• Microsoft: Windows Update
  http://windowsupdate.microsoft.com

In case an infection is discovered while utilizing the anti-virus software, be sure to remove the virus. Free removal tools online are being provided at the following sites.
In addition, if you are unable to access the above mentioned site as a result of the W32/Mytob virus , download a removal tool utilizing an uninfected computer, copy it on FD or to USB memory and then execute it on the infected computer.

Check-up Utilizing Removal Tools and Removal Methods (Free):
(Available for check-ups with or without W32/Mytob virus infection and for removal in case of infection)

• Trendmicro:
  http://www.trendmicro.com/download/dcs.asp
• Symantec:
  http://securityresponse.symantec.com/avcenter/venc/data/
  w32.mytob@mm.removal.tool.html

2. The Wide Spread Distribution of Spyware and Malicious Codes

Not only viruses but also a number of spyware (Keylogger, etc.) and malicious code (backdoor, etc.) are distributed so that the following reminders are necessary not to take them in from attachment file to e-mail and/or Home Pages by mistake.

• Utilize anti-spyware software (obtainable in computer shops, etc.);
• Refrain from accessing suspicious Web-sites ;
• Set browser's security level higher .

Malicious codes may penetrate by exploiting security holes; in that case, it is necessary to solve security holes in the system by conducting Windows Update, etc.

Examples of the main damage caused by spyware and/or malicious codes are shown below (please also refer to attachment 1).

Contents of Damage (Examples)	Malicious Codes, etc.
Alters start page of the Browser to unauthorized Web sites and/or connects browser to a different site from the one of intended access.	Trojan/StartPage Trojan/Websearch
Downloads malicious codes from certain Web sites so that the subjected computer is high-jacked by installing the codes.	Trojan/Downloder Trojan/Dropper
Steals system information, password, etc. from penetrated computer and sends them outside.	Trojan/PWSteal Trojan/IRC

2. W32/Netsky Constituted about 90% of the Total Detection Number

The detection number for W32/Netsky was about 2,300,000, an increase of 6.4%, with about 2,160,000 reported in February. In addition, an overall of detection number (about 2,620,000) also increased, however the number can be assumed to move to equivalent levels when it is calculated February has fewer days than the other months (28 days) (ref.: assuming the 28 days in February is converted to the usual 31 days, then the detection number would be about 2,700,000.)

(Both numbers in parenthesis are the reported number for previous month; the %s are the ratio taking over for the all viruses reported in this month.)

The reported number for March was 59 , a decrease of about 6% from the 63 reported in February. However, the damage report count was 14 , an increase over the 9 reported in February. Breakdowns from the damage report were: intrusions with 9, unauthorized mail relays with 1, others with 4 (includes 1 for spoofing of using legitimate user's ID by an unauthorized user, 2 for forcing download of malicious codes, other.).

It is to be noted that the 9 with intrusion, damage instances such as Web server being high-jacked and exploited for phishing again raised in March as in January and February.

Damage Instances:

1. Attacked vulnerable part of the Web server software or penetrated into the Web server because of insufficient password management resulting in fake Web contents being set up exploiting phishing.
2. Penetrated by Dictionary Attack against ID and password for SSH (Secured Shell) or attacked vulnerable part of OS; changed administrator authorized password and/or altered files and attacked outside as a steppingstone.
3. Penetrated by exploiting vulnerable part of “phpBB” of BBS utilizing PHP; forum log and templates for sites were then altered or deleted.
4. Fraudulently logged in to on-line game services provided on the Internet, the items used for the games were stolen or added.
5. When one of the adult sites was accessed, a falsified inquiry screen stating “age certification confirmation screen” was asking permission to download code; upon clicking “yes”, then the malicious code was installed. After that, a billing screen for the site usage fee was forcibly displayed continuing to flash on and off the screen for certain period of time.

As Web Server Administrator, Be Cautious about Phishing which Exploits Sites!!

Such damages penetrating the Web server and setting-up faked contents to exploit for phishing continued. Most cases are discovered and reported by outside users; it is likely that delay in detection leads to enlargement of the damage.

Countermeasures to be conducted by system administrators are as follows:

1. Set/manage adequate passwords;
2. Solve vulnerabilities (not only vulnerability for OS, but also Web applications as well.);
3. Restrict accessing from outside and conduct security setting adequately (Disable unnecessary services as well.);
4. Check log frequently;
5. Install alteration-detection system.

(Reference)

• “Practical Information of Information Security Countermeasures, Pages for System Administrators” (in Japanese)
  http://www.ipa.go.jp/security/awareness/administrator/
  administrator.html
• “Reminders while Operating e-Commercial Dealing Sites for Consumer (User)” (in Japanese)
  http://www.ipa.go.jp/security/vuln/20050304_ec_security.html

Unwanted (one-sided) access for March totaled 654,936 cases using 10 monitoring points .

The Internet Monitoring (TALOT2) that has a similar environment to the one for general Internet users', unwanted (one-sided) access from the Internet acquired at one monitoring point had counted approximately 2,100 on average per day in March 2005: In January and February, there were about 3,000 and about 2,370 respectively.

Compared with the figure for unwanted (one-sided) access in February, the accessing number shows little or no tendency for change: indicator shows that the threats from the Internet are not subsiding.

Masquerading as if the sender is a corporation such as a financial institution, etc. the intruder attempts to have receivers of e-mail access fake Home Pages and have them input private financial information (credit card #, its expiration date, ID, password, etc.) at the page where it tries to fraudulently obtain private information. This is called “phishing”; its detection and damages are continually being reported.

Regarding phishing which uses e-mail, it is difficult to refuse receiving mails at the receiver sides. However, this can be prevented before something happens if a user who is receiving mail has correct knowledge about phishing and behaves properly.

Tip 1 : It is uncommon to try to confirm private information through mail.

Commonly, a financial institution never confirms individual information such as a credit card number, its expiration date, ID and password of internet banking through e-mail. In case you sense something suspicious, be sure to check if it is real or not by accessing top page of sender's real site from where you'd bookmarked but not from the Home Page address written on the mail body received. It is also advisable to confirm with the inquiry window of the real site.

Tip 2 : Do not immediately click the Home Page address written on mail body received.

Not only limited to phishsing, but also to those Web sites being set-up with malicious intents, there are some vicious sites which try to embed malicious codes in your computer if you simply browse them. Be sure to check if the received mail itself is reliable enough or not before you click the (linked) Home Page address written on the mail body received.

Tip 3 : Do not easily trust the origin of mail.

The origin of the mail address can easily be camouflaged. When necessary, you can check the source information by referring to the header information, etc. of the mail.

In addition, malicious codes such as viruses and/or worms may send private information etc. outside saved in an infected computer . Since law protecting personal information [3] will fully be implemented from April, 2005; leakage of private information from computers possessed by an organization will likely lose its credence. In the case of individual users, leakage of private information will lead you in to fraud cases.

[3] Precisely named as “Act for Protection of Computer Processed Personal Data held by Administrative Organs”.

To prevent such damage before it happens, be sure to conduct preventive countermeasures such as utilization of anti-virus software, solving vulnerabilities in software (OS, Web, browser, mail software, etc.) continually .

( Reference )

• Anti-virus software information (in Japanese)
  http://www.ipa.go.jp/security/antivirus/vacc-info.html
• Windows Update (Microsoft)
  http://windowsupdate.microsoft.com/
• Software Update (Apple Computer)
  http://www.apple.com/support/downloads//
• Increase Your Browsing and E-mail Safety (Microsoft)
  http://www.microsoft.com/security/incident/settings.mspx

The details are as follows;

• Attachment 1 “Computer virus Incident Report [Details]”
• Attachment 2 “Unauthorized Computer Access Incident Report [Details]”
• Attachment 3 “ Observation Status by Internet Monitoring System (TALOT2) ”

IT Security Center, Information-technology Promotion Agency (IPA/ISEC)
Tel:+81-3-5978-7527
Fax:+81-3-5978-7518
E-mail: