Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for April2011


IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for April2011

May 13, 2011

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is the summary of computer virus/unauthorized computer access incident report for April 2011, compiled by Information-technology Promotion Agency, Japan (IPA).

I. Reminder for the Month:

"Watch out for a trap that takes advantage of disaster information!"

We would like to give our condolences to all the victims of the Great East Japan Earthquake.

We've confirmed entrapping e-mails that take advantage of a disaster like this and cheat its victims and reconstruction supporters in the afflicted area, and those who have become sensitive about disaster information, or that are designed to cause a virus infection. To avoid falling victim, PC users need to understand what sort of entrapping e-mails exist and if they feel anything unusual about an e-mail, they should discard it promptly or take other cautious responses.


(1)Outline of Mechanisms of Entrapping e-mails

The mechanisms of entrapping e-mails that we've confirmed this time are classified into the following three types:

Table1-1:Type and Description mechanisms of entrapping e-mails

False rumor(to give rise to a confusion)

●Chain Mail
Its objective is to send an e-mail to "as many people as possible in a chain reaction". Regardless of the e-mail content, it is considered an e-mail-based annoying conduct. In some cases, chain mail may fan the fear of the recipients in the manner of a chain reaction, causing a harmful rumor. This time, we've confirmed e-mails that involve information on nuclear power plant and radiation, call for brownout, and collection of contribution, donations and relief goods.


●Relief Money Fraud E-mail
This is so called phishing scam and if the e-mail recipients clicked an entrapping link in its body text, they would be lead to a Website for tricking them out of relief money for disaster victims.

Virus infection

●E-mail designed to cause a virus infection
We've confirmed virus-containing e-mails (hereinafter referred to as virus-mail) disguised as disaster information. Their subject, body text and attached file's name contained plausible Japanese words to make recipients believe that this is reliable information. PCs of the recipients believing it to be a reliable e-mail and opening its attachment are infected with a virus.
Example of virus-mail subjects that IPA has confirmed so far is as follows:
・To the disaster victims, in particular, those having children
・Safeguard against radiation exposure
・About the nation-wide rolling blackouts
・Update status of the Fukushima nuclear power plant
Example of names of virus-mail attachments that IPA has confirmed so far is as follows:
・Basic knowledge of radiation exposure, 1st_report.doc?2nd_report.doc
・Graphical explanation in mSv.doc
・Impact of the radiation on people in Kanto area.doc
・Fukushima nuclear power plant.doc
・About the amount of radiation on March 30th.doc, Evacuation site list.xls
・How much and how to take potassium Iodide Tablet


Among the above mechanisms, the one that requires particular attention is virus-mails. The following section explains entrapping e-mails that IPA has confirmed.

(2)Details of Virus-mails

(i)Body Test

The e-mail's body text was doctored to make recipients believe that this a reliable e-mail. Figure 1-1 and Figure 1-2 show an example of the body text of the virus-mails that have been confirmed this time.

Figure 1-1:Body Text (Case 1) Figure 1-2:Body Text (Case 2)

The body text in Figure 1-1 shows a text quoted from that of the identity-theft victim organization. This is a trick to make recipients believe that this is an authentic e-mail from that organization and get them to click its attachment.

On the other hand, the body text in Figure 1-2 contains no word. But it is feeding off the psychology of a human being who, having seen no message, might get the urge to open its attachment to see what's in there

(ii)Attached Virus

As we checked those virus-mail attachments, we found a virus called Mdropper. This virus consists of malicious code that exploits a vulnerability in Microsoft Word/Excel (which are application software programs provided by Microsoft Japan Co., Ltd.) and is embedded in their documents. Because the icons and extensions of those virus files are exactly the same as those of authentic Word/Excel documents, users cannot identify whether they are viruses or not (see Figure 1-3). Mdropper might also call in another virus; however, the viruses called vary depending on the time of the infection and so do symptoms.

Figure 1-3:A Virus-Mail's Attachment

There are two major vulnerabilities that can be exploited:


(i)Do not Easily Open/Click an E-mail

If you received an e-mail from someone with whom you don't regularly exchange e-mails, do not easily open it or click a link in its body text. If possible, contact its sender to see if it was really sent by that person. Do not make contact with the contact address written in the body text and instead look up the contact number by yourself and call there for confirmation.

If any file is attached to that e-mail, even if it was from a person with whom you regularly exchange e-mails, you should exercise cautions and if you feel anything unusual, check with its sender or deleted it promptly without opening it.

(ii)Eliminate Vulnerabilities

For operating systems and applications installed on your PC, upgrade them to the latest version (if possible) and eliminate existing vulnerabilities.


IPA provides on its Website "MyJVN Version Checker", with which you can check for the presence of any applications frequently targeted by a virus and if installed, whether they are the latest version. For more details, please refer to the "MyJVN Version Checker" Website.


(iii)Protect Your PC with Antivirus Software

Although antivirus software is not good at everything, this is one of the important measures. By installing antivirus software and keeping its virus definition files updated, you can block virus entry or clean the virus detected. Recent viruses are crafted in a manner that PC users cannot notice their infections only by looking at their PC's screen, so it is essential for them to install antivirus software so that they can detect and clean those viruses.

For general users, it is recommended to use "Integrated" antivirus software that not only detects and cleans viruses but also blocks an access to a high-risk Website should the user click on a link in an entrapping e-mail.

(iv)Measures for Recovery

If you feel that there is something wrong with your PC's behavior, for example, after opening a suspicious e-mail attachment, (even if no virus infection is suspected) update your antivirus software's virus definition files and perform a virus scan.

If, after cleaning all the viruses detected, you feel that your PC is not working properly, perform "system recovery", which is provided with Windows XP, Vista and 7 and enables you to restore your PC to the state in a past day. Even if you performed "system recovery", documents created, e-mails sent or received, Web page access history and your favorite Websites that were registered in the period between the selected date and the present are not deleted. By referring to the following Microsoft's Websites, perform "system recovery".


The following Web page presents concrete procedures for running Windows in "Safe Mode" and performing "system recovery".


If the system recovery does not complete normally, perform initialization to "restore the default settings at the time of purchase".

For actual operations, please refer to a section (e.g., "restore the default settings at the time of purchase") in the instruction manual that comes with your PC. When you perform these operations, be sure to make backup copies of important data. And before restoring the backup copies on your PC, scan them with your antivirus software to ensure that no virus is contained.


(4)To the People Providing Assistance for Rehabilitation and Reconstruction

We beg a favor of those providing assistance for rehabilitation and reconstruction after this time's disaster.

Secondhand PCs delivered to a disaster-stricken area as relief supplies might not have been in operation in recent years. Because such PCs have vulnerabilities that have un-remedied, recently-discovered vulnerabilities, they might easily be infected with a virus only by accessing a Web page or opening an e-mail. So, before placing them in operation in a disaster-stricken area, update their operating systems and applications.

For Windows 98/ Windows Me/ Windows 2000, support from Microsoft Japan Co., Ltd. is no longer available, meaning that newly-discovered vulnerabilities cannot be remedied. This is pretty dangerous as they might be infected with a virus exploiting such vulnerabilities only by connecting them to the Internet. So, please refrain from sending to a disaster-stricken area any PCs running those operating systems.

II. Reporting Status of Computer Virus – further details, please refer to the Attachment 1 –

(1)Reporting Status of Virus

While the virus detection count*1 in April was about 26,000, up 6.9 percent from about 24,000 in March, the virus report count*2 in April was 1,138, up 15.5 percent from the March level (985).

*1 Virus detection count: indicates how many times a specific virus appeared in the reports submitted, or the aggregate virus detection counts for a specific period.

*2 Virus report count: indicates how many reports on a specific virus were submitted. If the same type of viruses were reported by the same person with the same detection day, they are counted as one report regarding the virus of that sort.

* In April, the virus report count, which was obtained by consolidating about 26,000 virus detection reports, was 1,138.

W32/Netsky marked the highest detection count at about 16,000, followed by W32/ Mydoom at about 5,700 and W32/Autorun at about 1,100.

Figure 2-1: Virus Detection Count

Figure 2-2: Virus Report Count

(2)Malicious Programs Detected

In April, we saw a decrease of FAKEAV, which refers to any of fake security software, and BACKDOOR, which refers to a malicious program that install backdoors on a PC (See Figure 2-3).

Figure 2-3: Malicious Program Detection Count

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Table 3-1: Reported Number for unauthorized computer access and the status of consultation
  Nov.'10 Dec. Jan.'11 Feb. Mar. Apr.
Total for Reported (a) 14 22 12 10 6 5
  Damaged (b) 7 7 6 5 6 5
Not Damaged (c) 7 15 6 5 0 0
Total for Consultation (d) 45 27 41 23 45 38
  Damaged (e) 12 7 11 6 10 10
Not Damaged (f) 33 20 30 17 35 28
Grand Total (a + d) 59 49 53 33 51 43
  Damaged (b + e) 19 14 17 11 16 15
Not Damaged (c + f) 40 35 36 22 35 28

(1)Unauthorized Computer Access Reported

The report count for unauthorized computer access in April was 5, all of which reportedly had certain damages.

(2)Unauthorized Computer Access and Other Related Problems Consulted

The consultation count for unauthorized computer access and other related problems was 38 (10 of which were also included in the report count). 10 of them reportedly had certain damages.

(3)Damages Caused

The breakdown of the damage reports were: intrusion (1); unauthorized mail relay (1); malicious code embedded (1); spoofing (2).

Damages caused by "intrusion" were: a server's improper setting being exploited to place a suspicious file on it (1). Damages caused by "malicious code embedded" were: a PC being connected to the organization's LAN was infected with a virus, which in turn made an attempt to access an external network (1). Damages caused by "spoofing" were: free web-based e-mail being used by someone who successfully impersonated a legitimate user and logged on (1); improper e-mail account management resulting in unauthorized use of old account (1).

(4) Damage Instance


(i)Due to improper settings, our server was broken into and a file was placed on it
  • –I was notified by an external party that "upload communication against your Web server has been detected".
  • –Though an investigation, I found that an unknown file had been placed in the WebDAV directory of the server.
  • –XAMPP (a package of Web applications) was installed on that sever and anybody could login on to it by using default authentication information provided for the WebDAV function of XAMPP.
  • - As a post-incident measure, I removed the WebDAV function as I thought it was no longer needed.


(ii)An old e-mail account was illicitly used to send out mass mailings from our domain
  • –I was notified by an external party that "A large volume of phishing e-mails have been sent from an e-mail address that is within your district boundary"
  • –Though an investigation, I found that a request had been made by an external party to send such a large volume of e-mails from the account of a retired employee, resulting in the mass-mailing from our domain.
  • –I promptly deleted the illicitly-used account. I also configured our systems to deny requests from the source IP address and domain in question.

IV. Unauthorized Computer Access Consulted

The total number of consultations in April was 1,608. 455 of which were related to "One-Click Billing" (compared to 466 in March); 6 to "Fake Security Software" (compared to 7 in March); 13 to "Winny" (compared to 22 in March); 1 to "A Suspicious E-Mail Sent to a Specific Organization to Collect Specific Information/Data" (compared to 2 in March)

Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months
  Nov.'10 Dec. Jan.'11 Feb. Mar. Apr.
Total 1,692 1,536 1,463 1,521 1,723 1,608
  Automatic Response System 1,036 954 892 892 1,106 997
Telephone 580 531 499 570 551 555
e-mail 72 49 64 53 58 50
Fax, Others 4 2 8 6 8 6

* IPA set up "Worry-Free Information Security Consultation Service" that provides consultation/advises for computer virus, unauthorized computer access, problems related to Winny as well as overall information security.

Tel.: +81-3-5978-7509 (24-Hour Automatic Response; Consultations are provided by IPA Security Center personnel and available from Mon.-Fri., 10:00-12:00, 13:30-17:00)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”: Numbers responded by automatic response
*”Telephone”: Numbers responded by the Security Center personnel
*Total Number includes the number in the Consultation (d) column in the Table 3-1, “III. Unauthorized Computer Access Reported (including Consultations)”.

Figure 4-1: Changes in the Number of Consultation Regarding One-Click Billing

Major consultation instances are as follows:

(i)I'd like to know how to respond to unauthorized alteration of an enterprise's Website and what information to release in such event

I was notified by a client that "Your company's Website has been altered". In this case, what actions should I take? And what level of information disclosure is required?


In such cases, a PC that accessed that Website might be infected with a virus, so check as early as possible whether the site has really been altered.

If you find any trap in that Website that is designed to infect visitors' PCs, you need to take a quick response. Halt the Website operation and engage yourself in the investigation into the cause as well as fixing work. If you find it difficult to manage it on your own, it is recommended to hire a security service company.

After removing the altered parts and fixing and re-opening the Web pages, post information for the Website users, including the fact of the alteration, a possibility that a PC accessing it might have been infected with a virus, and expression of apology.


(ii)I received a suspicious e-mail from the administrative office of my web-based e-mail

What was consulted:

Recently, I received an e-mail from the administrative office of my web-based e-mail, saying "Send us your name and account's password by the appointed time; otherwise, we'll delete your data." So, in a hurry, I sent them the requested information by e-mail, but the following day, I became unable to log on to the e-mail service.

Moreover, I was notified by an acquaintance whose address was registered in my address book, "I received an e-mail from you, saying 'While traveling abroad, I was robbed of my money, so I'm pinched for money.'"

I wonder what's going on.


This is a typical example of social engineering via e-mail. Social engineering is a technique to obtain confidential information from the victim by taking advantage of psychological off-guard or behavioral mistakes.

In your case, your web-based e-mail account's password was stolen and used by a third party to send such e-mail to your acquaintance.

In general, even an administrative office never asks users' password information. Even if you received such request by e-mail, do not accept it on faith and take appropriate measures such as directly contacting the service operator.


V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in April

According to the Internet Fixed-Point Monitoring System (TALOT2), 194,413 unwanted (one-sided) accesses were observed at ten monitoring points in April and the total number of sources* was 71,935.  This means on average, 648 accesses form 240 sources were observed at one monitoring point per day. (See Figure 5-1)

*Total number of sources:indicates how many accesses in total were observed by TALOT2.  If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.

Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.

Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month (From November to April)

The Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from November 2010 to April 2011). As shown in this figure, the number of unwanted (one-sided) accesses in April has decreased, compared to the March level.

The Figure 5-2 shows the April-over-March comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this figure, compared to the March level, there has been a particular increase in the number of access to 29979/tcp.

Figure 5-2: April-over-March Comparison for the Number of Access, Classified by Destination (Port Type)

As for 29979/tcp, access was made from a single IP address and observed a single monitoring point for TALOT 2 (See Figure 5-3). It has yet to be identified why this port was accessed as it is not the one used by a specific application

Figure 5-3: Access to 445/udp (Total Number of Accesses Observed at One Monitoring Points)

In the previous issue, we reported that since February 21, an increasing number of accesses from multiple IP addresses in Myanmar had been observed at multiple monitoring points for TALOT 2, and in April, such accesses to 80/tcp and 443/tcp has also been observed in April (See Figure 5-4).

Figure 5-4: Access to 21/tcp, 22/tcp, 25/tcp, 80/tcp, 443/tcp and 1/tcp from multiple IP addresses in Myanmar

For more detailed information, please also refer to the following URLs:

Variety of statistical Information provided by the other organizations/vendors is available at the following sites:


IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)