icsa 1998 computer virus prevalence survey - security · web viewicsa 1998 computer virus...

ICSA 1998 Computer Virus PrevalenceICSA 1998 Computer Virus Prevalence SurveySurvey

Sponsors:

Microsoft Corporation

Anyware Software

Computer Associates International

Dr. Solomon’s Software

INTEL

Network Associates, Inc.

Panda Software

Price Waterhouse, LLP

Symantec Corporation

Trend Micro, Inc.

Contents…

EXECUTIVE OVERVIEW.........................................................................................................................................6

OBJECTIVES...............................................................................................................................................................7

RESEARCH METHODOLOGY................................................................................................................................7

PREVIOUS WORK.........................................................................................................................................................8

BIASES.........................................................................................................................................................................8

FINDINGS.....................................................................................................................................................................9

HOW COMMON ARE VIRUS INFECTIONS?...................................................................................................................9

CHANGES IN INFECTION RATES, TOP VIRUSES OF 1997...........................................................................................10

HOW IS "COMMONNESS" CHANGING?.......................................................................................................................12Recent Changes in Reported Prevalence..............................................................................................................12Growth in Prevalence, by Type of Virus, 1997-1998............................................................................................13Changing Dominance of Most Prevalent Viruses, 1995-1998.............................................................................14

WHERE DO THEY COME FROM?...............................................................................................................................16Changes in Virus Distribution Mechanisms.........................................................................................................17Type of Virus and Point of Entry..........................................................................................................................18

WHAT IMPACT DO VIRUSES HAVE?.........................................................................................................................18What Are The Organizational Effects of Viruses?................................................................................................18How Many PCs Were Affected by Incident?.........................................................................................................21

WHAT ARE THE FINANCIAL COSTS OF VIRUSES?.....................................................................................................22Costs Per Incident.................................................................................................................................................22

USAGE OF ANTI-VIRUS PRODUCTS...........................................................................................................................23Overall Level of Usage.........................................................................................................................................23Anti-Virus Methods Employed..............................................................................................................................24Effectiveness of Desktop Protection Approaches.................................................................................................25Server Protection Methods...................................................................................................................................26E-Mail Gateways..................................................................................................................................................29Proxy Servers and Firewalls.................................................................................................................................29

THE INTERNET...........................................................................................................................................................30How Important is the Internet to Employee Work?..............................................................................................30How High a Threat Posed by Java, ActiveX, etc.?...............................................................................................31Has Malicious Active Code Breached Security?..................................................................................................32Do You Have a Java/ActiveX Security Policy?.....................................................................................................32What is Your Java/ActiveX Policy?......................................................................................................................34

APPENDIX A: QUESTIONNAIRE..........................................................................................................................36

APPENDIX B: TABULATIONS BY QUESTION..................................................................................................49

THE TABULATIONS....................................................................................................................................................49

APPENDIX C: PROFILE OF RESPONDENTS.....................................................................................................60

JOB TITLE..................................................................................................................................................................60

RESPONDENT’S DEPARTMENT...................................................................................................................................60

NUMBER OF PCS IN THE GROUP...............................................................................................................................61

DESKTOP PC OPERATING SYSTEM............................................................................................................................61

TYPE OF NETWORK EMPLOYED................................................................................................................................62

PRIMARY LINE OF BUSINESS.....................................................................................................................................63

APPENDIX D: COMMON VIRUSES......................................................................................................................64

APPENDIX E: SURVEY STATISTICS...................................................................................................................83

APPENDIX F: GLOSSARY......................................................................................................................................84

INDEX..........................................................................................................................................................................88

END NOTES..............................................................................................................................................................103

Figures…

FIGURE 1. INFECTIONS PER 1,000 COMPUTERS PER MONTH, 1996-1998, USING AVERAGE RATE OF TWO MONTHS PRIOR TO STUDY...................................................................................................................................................10

FIGURE 2. INFECTIONS PER 1,000 COMPUTERS PER MONTH, 1994-1998....................................................................10

FIGURE 3. INFECTIONS PER MONTH PER 1,000 COMPUTERS, TOP VIRUSES, 1996-1998..............................................11

FIGURE 4. CHANGES IN INFECTION RATE BY TYPE OF VIRUS, 1997-1998...................................................................13

FIGURE 5. RELATIVE DOMINANCE OF TOP TEN VIRUSES, 1997-1998..........................................................................15



FIGURE 8. SOURCES OF INFECTION, 1998.....................................................................................................................17

FIGURE 9. CHANGES IN VIRUS DISTRIBUTION, 1996-1998...........................................................................................17

FIGURE 10. SOURCES OF INFECTION, BOOT AND MACRO VIRUSES, 1997....................................................................18

FIGURE 11. EFFECTS OF VIRUSES, 1996-1998..............................................................................................................20

FIGURE 12. EFFECTS OF VIRUSES ON DATA CORRUPTION, USER PRODUCTIVITY, AND EMOTION, 1996-1998...........21

FIGURE 13. PCS AND SERVERS SUSPECTED/ACTUALLY INFECTED DURING MOST RECENT INCIDENT, 1996-1998....22

FIGURE 14. COST COMPARISON OF DISASTERS, 1996-1998.........................................................................................23

FIGURE 15. DISTRIBUTION OF PERCENTAGE OF DESKTOP PCS WITH NO VIRUS PROTECTION RUNNING....................24

FIGURE 16. DESKTOP VIRUS PROTECTION METHODS REPORTED USED, 1997-1998...................................................25

FIGURE 17. PERCENT OF SERVERS RUNNING PERIODIC SCANS, FULL-TIME SCANS, OR BOTH, 1997-1998.................28

FIGURE 18. E-MAIL, PROXY SERVERS, AND FIREWALLS WITH VIRUS PROTECTION, 1997-1998....................................29

FIGURE 19. INTERNET IMPORTANCE IN EMPLOYEE WORK, 1998.................................................................................31

FIGURE 20. PERCEIVED THREAT FROM ACTIVEX, JAVA, ETC.......................................................................................31

FIGURE 21. HAS ACTIVE MOBILE CODE BREACHED CORPORATE SECURITY?.............................................................32

FIGURE 22. DO YOU HAVE A JAVA/ACTIVEX SECURITY POLICY?...............................................................................34

FIGURE 23. WHAT IS YOUR JAVA/ACTIVEX POLICY?..................................................................................................35

FIGURE 24. PERCENTAGE OF ORGANIZATIONS RUNNING VARIOUS OPERATING SYSTEMS, 1997-1998......................62

Tables…

TABLE 1. ENCOUNTERS PER 1,000 COMPUTERS PER MONTH, 1996, 1997, AND 1998 STUDIES....................................9

TABLE 2. INFECTIONS PER MONTH PER 1,000 COMPUTERS, TOP VIRUSES, 1996-1998...............................................11

TABLE 3. INFECTIONS PER MONTH PER 1,000 COMPUTERS, TOP VIRUSES, 1997-1998...............................................12

TABLE 4. SOURCES OF INFECTION, 1996-1998.............................................................................................................16

TABLE 5. EFFECTS OF VIRUSES, 1996-1998..................................................................................................................19

TABLE 6. EFFECTS OF VIRUSES ON DATA CORRUPTION, USER PRODUCTIVITY, AND EMOTION, 1996-1998..............20

TABLE 7. PCS AND SERVERS SUSPECTED/ACTUALLY INFECTED DURING MOST RECENT INCIDENT, 1996-1998.......21

TABLE 8. COST COMPARISON OF DISASTERS, 1996-1998............................................................................................22

TABLE 9. DESKTOP VIRUS PROTECTION METHODS REPORTED USED, 1997-1998.......................................................24

TABLE 10. NUMBER OF DESKTOP PROTECTION METHODS USED, 1997-1998..............................................................25

TABLE 11. EFFECTIVENESS IN VIRUS PREVENTION, DESKTOP ENCOUNTERS 1997......................................................26

TABLE 12. EFFECTIVENESS IN AVERTING DISASTERS, 1997.........................................................................................26

TABLE 13. SERVER VIRUS PROTECTION METHODS USED, 1997-1998.........................................................................28

TABLE 14. PERCENT OF SERVERS RUNNING PERIODIC SCANS, FULL-TIME SCANS, OR BOTH, 1997-1998..................28

TABLE 15. E-MAIL, PROXY SERVERS, AND FIREWALLS WITH VIRUS PROTECTION, 1997-1998.....................................29

TABLE 16. INTERNET IMPORTANCE IN EMPLOYEE WORK, 1998..................................................................................30

TABLE 17. PERCEIVED THREAT FROM ACTIVEX, JAVA, ETC........................................................................................31

TABLE 18. HAS ACTIVE MOBILE CODE BREACHED CORPORATE SECURITY?..............................................................32

TABLE 19. DO YOU HAVE A JAVA/ACTIVEX SECURITY POLICY?.................................................................................34

TABLE 20. WHAT IS YOUR JAVA/ACTIVEX POLICY?...................................................................................................34

TABLE 21. TITLES OF RESPONDENTS............................................................................................................................60

TABLE 22. RESPONDENT DEPARTMENT, 1996, 1997, 1998..........................................................................................60

TABLE 23. PERCENTAGE OF ORGANIZATIONS RUNNING VARIOUS OPERATING SYSTEMS, 1997-1998........................61

TABLE 24. PERCENT OF ORGANIZATIONS RUNNING VARIOUS NETWORK OPERATING SYSTEMS................................62

TABLE 25. PRIMARY LINE OF BUSINESS.......................................................................................................................63

TABLE 26. MOST COMMONLY REPORTED VIRUSES, JAN-FEB 1998.............................................................................64

ICSA® 1998 Virus Prevalence Survey

6

Copyright © 1998 ICSA, Inc., 1200 Walnut Bottom Road, Carlisle, PA, 17013-7635Phone: 717-258-1816, Fax: 717-243- 8642, send blank e-mail to: [email protected], http://www.icsa.net


Executive Overview

ICSA’s Fourth Virus Prevalence Survey reveals the computer virus problem in North America is not going away. In fact computer viruses are alive and well. This year’s survey data represents 581,458 desktop workstations and 12,122 application and file servers. Based on this sampling, we find that virtually all large and midsize North American Corporations have experienced computer virus infections (>99%). Of the 300 respondents to the survey, the top five primary lines of business represented in the survey sampling are: Government, Healthcare, Manufacturing, Finance/Insurance, and Transportation/Utilities. Similar to last year, we found that the installed base of anti-virus software is up. This year’s survey reports 91% of servers and 98% of desktop workstations with some type of protection. Even with this installed base of protection, virus encounters rose. This year’s group of respondents averaged slightly over 86.5 virus encounters per 1,000 machines per year over the survey period. This compares to 62.5 encounters per 1,000 machines per year in last year’s survey.

Again, the macro family of computer viruses tops the list of those most prevalent. Of the ten most prevalent viruses in 1997, five were of the macro family: WM/Concept, WM/CAP, WM/ Wazzu, WM/Npad, and XM/Laroux. This is not surprising given the wide span of replicating vectors available (i.e. e-mail attachments, exchange of documents over a network, exchange of files by diskette, Internet download, as well as software distribution media); subtlety, and long latency.

With the rising popularity of the Internet and the concomitant push for companies to become connected, we asked several interesting questions relating to the corporate use of the Internet and the associated risks. Some important findings were:

83% of respondents felt the Internet was either Mission Critical or Important to their employees work.

72% of respondents believed the threat level from auto-executable code (primarily Java applets or ActiveX Controls) was either High or Moderate.

Even with the former responses, only 27% of respondents have a policy on the use of Java or ActiveX controls.

Of those who have a policy in place:

Nearly as many respondents (33%) do not allow any Java applets as allow them (39%) while more respondents (39%) do not allow any ActiveX controls than allow them (23%).

There appears to be more concern for security in the case of ActiveX controls than of Java applets. About 39% of respondents allow some sort of Java applets, whereas only 21% allow some sort of ActiveX controls.

7



Objectives

The objective of this project is to identify the nature and extent of the computer virus problem in desktop computers and computer networks. The scope of the survey includes:

Intel-based PC computers (Apple Macintosh computers were not included in this survey.)

North American Sites only

Industrial and Government business sectors (home and educational sites were excluded.)

In addition to learning about the extent of the computer virus problem, this year's survey included, for the first time, some important exploratory questions about Java applets and ActiveX controls, both of which potentially impact organizational security.

ICSA, Inc. will use this research to increase the public awareness of the extent of the computer virus problem.

Research Methodology

Confidence -- To meet the objectives of the survey, telephone interviews were completed with 300 end-users. This sample size provides accuracy of plus or minus 5.6% with 95 percent confidence for questions that relate to the entire sample. Internal consistency checking (where similar data were arrived at by different means and different questions) suggests that respondent-estimation errors may be as large as 50% in some cases.

Selection -- Respondents for the survey were randomly selected from Computer Intelligence lists of sites with 500 or more PCs, two or more LANs, and two or more remote connections at that site. The sample included all service and industry SIC (Standard Industry Code) codes, as well as federal, state, and local government. Educational sites were excluded from the survey.

Interview target -- The interviews were conducted with the individual most responsible for managing virus problems on PCs or networks for the organization or site. The individual was typically found through referral and an average of 10.5 calls was required to complete an interview. Only individuals with responsibility for 200 or more PCs in terms of virus knowledge, prevention, and software, were qualified as respondents to the survey. Respondents were ensured confidentiality to maximize their responsiveness and to enhance the overall credibility of the survey.

Trained interviewers -- All interviewing was conducted by Gantz Wiley Research of Minneapolis, MN. Trained interviewers dialing from a centrally supervised and monitored facility conducted interviews March 30 through May 15, 1998 during the hours of 7am through 5pm Central Standard Time. The interviewers involved in the survey were dedicated to surveys of vendors, dealers, and end-users for computer and networking industries. All responses were captured using an on-line survey system for direct tabulation and analysis.

8



Rounding -- Occasionally percentages will total more than 100 percent due to questions allowing for multiple responses. In some cases, charts or graphs will be less than 100 percent due to “Don’t Know” answers, refusals or “Other” responses not being included. In addition, rows or columns may total either 99 percent or 101 percent due to rounding procedures.

A copy of the questionnaire is included in Appendix A (page 10). Simple tabulations by question are provided in Appendix B (page 49.)

Previous WorkSome of the results of this survey can be directly compared with three previous surveys:

1. A previous survey conducted for ICSA by the Pariah Group during March 1997. The 1997 survey had a nearly identical design, and nearly identical demographics. Where appropriate, results from this survey will be compared with the 1997 survey. Respondents from the present 1998 survey are similar to those of this 1997 survey in Job Title (page 60), Department (page 60), and Primary Line of Business (page 63).

2. A previous survey conducted for ICSA1 by Network Associates Public Relations during March 1996. The 1996 survey had a nearly identical design, and nearly identical demographics. Where appropriate, results from this survey will be compared with the 1996 survey.

3. A previous survey conducted for ICSA by Dataquest during October 1991. The 1991 NCSA/Dataquest survey had similar design with similar demographics. There were, however, two primary differences; the 1991 survey 1) focused on organizations with a smaller number of PCs (300 vs. 500 for 98) and 2) had a smaller average number of PCs per respondent (1,027 then vs. 2,162 now). The larger cut-off for inclusion used for this survey partially accounted for PC market growth over the intervening period. The potential survey sites (North American organizations with more than 300 or 500 PCs respectively) were about the same for both surveys (2,300 vs. 2250 potential sites). Where appropriate, results from this survey will be compared with the 1991 survey.

BiasesThere are several potential biases to this report:

Retrospective Bias -- The most important bias is that this study is retrospective. That is, those people interviewed were asked to answer questions about past events. Though most sites claimed to have formal tracking mechanisms in place, it is probably true that the further in the past, the less reliable the data. Moreover, it is probably true that data further in the past are under-represented (not remembered) compared to current information. Finally, it may be true that unpleasant events are remembered less well than pleasant events, so that the past seems more positive than it actually was. This bias might enhance the perception that things are getting worse.

1 In early 1998, the National Computer Security Association (NCSA) changed its name to ICSA, Inc. (International Computer Security Association). In this report, we refer to "ICSA" throughout, regardless of whether the organization, at the time, called itself NCSA or ICSA.

9



Site Selection Bias --The survey is biased in favor of companies that have “computer virus experts” due to the initial site screening. Consequently, it might be true that sites that do not have such a person were under represented in the survey. It may also be true that these sites did not have such a person because the virus problem was minimal there. This bias could suggest that the data here shows the problem as worse than it really is.

Encounter Definition Bias -- Though the survey defined “virus encounter” (…a “virus encounter” will be defined as an event or incident where viruses were discovered on any PCs, diskettes, or files.), and despite the interviewer training to reiterate and explain the usage, the definition is necessarily imprecise. It is likely that some of those surveyed tended to use the number of files, PCs or diskettes infected rather than an event in which several or many files, PCs or diskettes were infected as an “encounter.” This bias could make the incidence and prevalence of computer viruses appear higher than it might be.

Familiarity Bias -- Though the survey tried to estimate the chance that the respondent would actually know about every virus encounter by the site (respondent’s were asked the question “what percent of virus incidents in your group are you informed of or likely to know about?”), it is probably true that a remote employee who encountered a virus for which the appropriate actions were already well known (because of past experience) would be less likely to report the incident to the respondent. Therefore, common viruses are likely to be under-reported compared with newer or unfamiliar viruses.

Findings

How Common Are Virus Infections?The group of 300 organizations had 161,003 encounters during the 3.2 years in question on the 581,458 machines represented. This translates to 86.53 encounters per 1,000 machines per year over the survey period. This is a higher infection rate than reported in the 1997 study, (145,753 encounters in the time frame in question on the 728,798 machines represented, or 62.5 encounters per 1,000 machines per year over the survey period.)

Table 1 compares the 1996, 1997, and 1998 studies. In general, encounters have been steadily increasing, with reasonable correspondence in the two studies. There is probably some retrospective bias at work here, but if similar intervals are compared (e.g., Feb '98 in the 1998 study, Feb ’97 in the 1997 study, and Feb ’96 in the 1996 study), we see that reported infection rates have risen steadily whether we look at reports of the previous month, of two months prior, of the last six months of the prior year, etc.

Table 1. Encounters Per 1,000 Computers Per Month, 1996, 1997, and 1998 Studies.

Period 1996 Study 1997 Study 1998 Study

10



Prior Month2 14.4 28.0 31.4Two Months Prior3 6.1 14.9 32.3

Last 6 months, prior yr4 3.0 10.0 34.3First 6 months, prior yr5 1.5 9.1 27.6

Two years prior6 0.2 3.5 8.85

In Figure 1 we averaged the infection rates reported for the prior two months, and then compared these averages across the three studies. (We have selected these two months to graph simply because the recency of the events likely produces the greatest accuracy in respondent estimates of infection rates.) These figures show an increased infection rate of about 10 infections per 1,000 machines per month each year.

Figure 1. Infections Per 1,000 Computers Per Month, 1996-1998, using Average Rate of Two Months Prior to Study

Figure 2 refines the data by representing the semi-annual and annual data as a monthly proportion during the mid-month of the surveyed period. The results are charted as a rate of virus infections per 1,000 PCs per month. It shows the likelihood of a medium or large North American organization having a virus encounter grew from about one encounter per 1,000 PCs per month in mid-1994 to about 31 chances per 1,000 PCs per month in February, 1998.

2 For the 1998 study, this is February, 1998.3 For the 1998 study, this is January, 1998.4 For the 1998 study, this is July-December, 1997.5 For the 1998 study, this is January-June, 1997.6 For the 1998 study, this is 1996.

11



Figure 2. Infections Per 1,000 Computers Per Month, 1994-1998

Changes in Infection Rates, Top Viruses of 1997Certain viruses are more likely to occur than others. In addition, certain viruses are “growing” in prevalence (e.g. more copies of them exist, which are infecting more PCs, files and/or diskettes) while others are probably declining in numbers. We asked respondents which viruses affected their group for three periods in the 1997 survey: Jan.-Feb., 1997; Jul.-Dec. 1996; and Jan.-Jun. 1996. We also asked respondents about three corresponding periods for this survey: Jan.-Feb., 1998; Jul.-Dec. 1997; and Jan.-Jun. 1997, as well as how many times their group encountered each virus. Prevalence data for the most common viruses encountered in the 1997 survey are shown as encounters per month per 1000 PCs for each of the survey periods in the table and figure below.

Table 2. Infections per Month per 1,000 Computers, Top Viruses, 1996-1998

1st half ’96 2nd half ’96 Jan/Feb ’97 1st half ’97 2nd half ’97 Jan/Feb ’98 WM Concept 2.63 3.12 7.37 4.51 4.48 2.51

Form 0.27 0.34 2.09 0.12 0.22 0.30Anti-EXE 0.28 0.39 0.62 0.02 0.06 0.20

WM Wazzu 0.03 0.15 1.81 0.62 3.39 3.48Monkey B 0.11 0.12 0.70 0.05 0.06 0.15

NYB 0.19 0.15 0.27 0.48 0.63 0.66WM Npad 0.05 0.12 0.41 0.15 0.15 0.14

Stealth B or C 0.09 0.11 0.28 0.49 0.35 1.16Junkie 0.24 0.02 0.05 0.00 0.00 0.01

Figure 3 shows the changes in infection rate, as reported in the 1997 and 1998 studies, for the top viruses of 1997. The reporting rate for several viruses, including WM/Concept, Form, Anti-EXE, and WM/Npad appears to have peaked and now be in decline. Note that reporting rate is not necessarily the same as infection rate.

12



Figure 3. Infections per Month per 1,000 Computers, Top Viruses, 1996-1998

13



Which Viruses are Most Common in 1998?

Of the 300 respondents, 199 reported one or more machines infected with one or more of the viruses listed in Table 26. Most Commonly Reported Viruses, Jan-Feb 1998 (page 66), in the column labeled Reports. The Wild List Organization maintains a list of computer viruses reported to be In The Wild (actively infecting computers). Similarly, Virus Bulletin maintains a list of viruses reported to them. We have included their reports for the month of January 1998, in the column Virus Bulletin.

Each list is created and maintained in different ways7. These methodologies, in combination with the present survey techniques, help us examine differences in reported prevalence that might be associated with different research methods.

However, a quick glance at the table below shows that these three tracking methods do not produce much overlap in their reports.

How is "Commonness" Changing?

Recent Changes in Reported PrevalenceUsing only the numbers provided in the 1998 survey, we have examined absolute infection rate (infections per month per 1,000 computers per virus), and changes in this rate over three time intervals.

Table 3 shows the infections per month per 1,000 computers for each of the viruses provided to survey researchers for coding. This table uses the mid-point date to represent each time period: March 15 for the January -- June, 1997; September 15 for July -- December, 1997; and January 31 for January-February, 1998. This table presents the viruses sorted by average infection rate, from highest to lowest. In this table, the most common virus in the period was WM/Concept, followed by WM/Wazzu and WM/CAP.

Table 3. Infections per Month per 1,000 Computers, Top Viruses, 1997-1998

Virus 03/15/97 09/15/97 01/31/98 AverageWM/Concept 4.51 4.48 2.51 3.83WM/Wazzu 0.62 3.39 3.48 2.49

Other 0.92 1.00 4.03 1.99WM/CAP 0.49 1.53 2.72 1.58

XM/Laroux 0.26 0.49 1.68 0.81Stealth B or C 0.49 0.35 1.16 0.67

NYB 0.48 0.63 0.66 0.59Form 0.12 0.22 0.30 0.21

7 PC Viruses in the Wild - March 1998. This report is described as "a cooperative listing of viruses reported as being in the wild by 46 virus information professionals. The bases for this report are virus incidents where a sample was received and positively identified by the participant. Rumors and unverified reports have been excluded. This report is cumulative. That is, this is not just a report of viruses that were seen last month. Monthly data is received from most participants, but the new data is added to the old. Participants are expected to let us know when to remove their name from a virus that they haven't seen in a year and a half or so." Consequently, the names used in the Wild List are more precise than those generally used by respondents in a survey like the present one. For the table in which we summarize the March report, we have tallied the number of Wild List reporters reporting the virus.

14



Virus 03/15/97 09/15/97 01/31/98 AverageAntiCMOS 0.12 0.07 0.26 0.15WM/Npad 0.15 0.15 0.14 0.15AntiEXE 0.02 0.06 0.20 0.09Monkey 0.05 0.06 0.15 0.09

WM/Appdr 0.01 0.01 0.14 0.05WM/Showoff 0.00 0.00 0.09 0.03WM/NiceDay 0.01 0.01 0.07 0.03

Ripper 0.03 0.03 0.00 0.02EXEbug 0.00 0.01 0.02 0.01

WM/Johnny 0.01 0.01 0.01 0.01WM/Lunch 0.01 0.01 0.01 0.01Maverick 0.01 0.01 0.00 0.01WelcomB 0.00 0.00 0.01 0.00

NATAS 0.01 0.01 0.00 0.00Junkie 0.00 0.00 0.01 0.00

WM/Goldfish 0.00 0.00 0.01 0.00WM/Temple 0.00 0.00 0.01 0.00

Average 0.27 0.40 0.57 0.41

Growth in Prevalence, by Type of Virus, 1997-1998We examined the information shown in Table 3 above from the standpoint of virus type. In this table, there was only one file virus listed, but several boot, multi-partite, and macro viruses. Figure 4. Changes in Infection Rate by Type of Virus, 1997-1998 shows that the most common type of virus is the macro virus, and infection rates for this type of virus are growing most rapidly. The second most common type of virus is the boot virus, and its numbers are increasing rapidly, with a doubling in infection rate in the period March 1997- February 1998. In contrast, multipartite and file viruses are showing no growth at all, and are relatively rare.

15



Figure 4. Changes in Infection Rate by Type of Virus, 1997-1998

16



We believe there are several reasons for the rapid growth of macro viruses: Macro viruses can replicate using vectors other than diskette (like e-mail

attachments, see below). Users may have learned to scan diskettes, but they are generally not yet checking e-mail attachments;

Macro viruses are subtle and have a long latency; most users who are infected by macro viruses do not experience any change in behavior or degradation of performance of their computer (i.e. they do not notice the virus). Viruses that go unnoticed are more likely to spread, because the computer remains infected and virulent for a longer period, and therefore has more opportunity to infect more hosts.

Some organizations and some users have been slow to update their anti-virus products and to revise their policies to deal with the new macro virus threat.

There are several reasons for the continued growth of boot viruses: Like macro viruses, boot viruses transcend operating systems. A boot virus like

Form can infect DOS, Windows 3.x, Windows 95, and Windows NT machines with approximately equal success.

As with macro viruses, most boot viruses are relatively subtle, causing little discernible difference in machine performance.

There are also reasons why file and multi-partite viruses seem to be declining in prevalence. File viruses and multi-partite viruses are specific to a particular operating system.

For instance, they might expect to find themselves in a DOS machine. When they find themselves outside their intended platform, they sometimes reveal themselves either through unintended damage to files or other means that result in detection. The emergence of "new" operating systems, such as Windows 95 and the decline of older operating systems, such as DOS (see Table 23. Percentage of Organizations Running Various Operating Systems, 1997-1998) has hastened the decline of file and multi-partite viruses expecting to find themselves in the world of DOS.

There is a potential problem in these data: a virus that appears to be in decline might actually be increasing in prevalence. If a user is infected with an older virus that is easily dispatched with the product on hand, that user is likely to kill the virus without reporting it to management. If the virus was contained because of the effectiveness of anti-virus products, the likelihood of it being reported to our survey researchers would be minimal. Viruses that cause unpleasant experiences, data loss, massive infection, and/or prove difficult to remove, are most likely to be recorded.

Changing Dominance of Most Prevalent Viruses, 1995-1998In the first two months of 1997, one virus – WM/Concept – accounted for about two thirds of all infections caused by the top ten viruses. In contrast, in the first two months of 1998, WM/Concept accounted for only about 30% of all infections caused by the top ten viruses. Other emerging macro viruses are now challenging WM/Concept’s dominance of last year, predominantly WM/CAP; WM/Wazzu; and XM/Laroux.

17



Figure 5. Relative Dominance of Top Ten Viruses, 1997-1998


18




Where Do They Come From?Respondents were asked to identify the means of infection for their most recent virus incident or encounter if they did not have a incident. In this survey, respondents could indicate more than one avenue of infection, and totals exceed 100%. A comparison with the 1997 and 1996 surveys is provided in Table 4. Sources of Infection, 1996-1998

Table 4. Sources of Infection, 1996-1998

Source 1996 1997 1998A diskette, sales demo or similar 11% 8.1% 4.4%A diskette, repair/service person 3% 3.4% 3.0%

A diskette, LAN manager/supervisor 1% 2.7% 0.7%A diskette, shrink-wrapped software 2% 4.4% 1.7%

A diskette, malicious person intentionally planted 0% 1.0% 1.0%A diskette, brought from someone’s home 36% 42.3% 36.0%

A diskette, other 21% 26.5% 20.5%On a distribution CD 0% 0.7% 1.7%

A download from BBS, AOL, CompuServe, Internet 10% 16.1% 9.4%Other download (terminal emulation, client server) 2% 2.4% 3.0%

Via e-mail as an attachment 9% 26.2% 32.3%Via an automated software distribution 0% 1.7% 1.3%While browsing on the World Wide Web -- 5.4% 2.0%

Other 0% 5.0% 0.7%Don’t know 15% 7% 5.4%

19



Figure 8. Sources of Infection, 1998

It is not surprising that diskettes are such a common vector for infection. Many of the most prevalent viruses are boot track viruses and could not travel by any other means.

Changes in Virus Distribution MechanismsThere are changes in virus distribution mechanisms. Figure 9 shows some important trends, with numbers drawn from Table 4. Although diskettes remain the most common source of infection, e-mail is rapidly growing as a significant source of infection. Respondents are becoming more knowledgeable about the infection source, as reflected in the declining proportion of those that did not know where the virus had come from.

Figure 9. Changes in Virus Distribution, 1996-1998

20



Type of Virus and Point of EntryTheoretically, all viruses can be transferred by diskette, by e-mail, or by download.8 Nevertheless, some vectors are more common for some kinds of viruses than for others. Figure 10 shows that macro viruses are most likely to enter an organization via e-mail attachments, whereas boot viruses most often come via diskette.

Figure 10. Sources of Infection, Boot and Macro Viruses, 1997

What Impact Do Viruses Have?

What Are The Organizational Effects of Viruses?For the most recent encounter or incident (if they had one), respondents were asked to identify the effect the virus had on their group (see Table 5. Effects of Viruses, 1996-1998 and Figure 11. Effects of Viruses, 1996-1998.) As was the case in the 1991, 1996, and 1997 surveys, the greatest problem caused by computer viruses relates to loss of productivity. These losses included but were not limited to PCs unavailable to users, loss of access to data, unreliable applications, and system crashes. Respondents also implied corruption of data, interference or lockup, corrupted files, lost data, and system crashes. In comparison with the 1996 survey, the impact of viruses on productivity seems to be diminishing, whereas the impact on confidence has increased.

Table 5. Effects of Viruses, 1996-1998

21



1996 1997 1998

Loss of user confidence in the system 7% 26% 19%Threat of someone losing their job 3% 1% 4%

Loss of productivity (machine, applications or data not available for some time) 81% 70% 72%

Screen message, interference, or lockup 62% 54% 58%Lost data 39% 37% 31%

Corrupted files 59% 57% 57%Loss of access to data (ie. on server, host, mainframe, etc.) 49% 30% 37%

Unreliable applications 35% 30% 24%PC was unavailable to the user 71% 59% 57%

System crash 30% 26% 20%Trouble saving files9 54% 46%

Trouble reading files10 57% 51%Trouble printing11 23% 24%

Other (specify) 0% 3% 1%None 4% 12% 6%

Don’t know 0% 1% 1%

Figure 11. Effects of Viruses, 1996-1998

We were interested in determining whether there were any general trends in the last three years concerning the organizational effects of infections. We grouped effects into:

22



1. Corruption (Screen message, interference, lockup, lost data, corrupted files, loss of access to data)

2. Emotion (Loss of user confidence, threat of job loss) 3. Productivity (loss of productivity, unreliable applications, PC unavailable, system

crash, trouble saving, reading, or printing)

Averages are reported in Table 6. Effects of Viruses on Data Corruption, User Productivity, and Emotion and Figure 12. Effects of Viruses on Data Corruption, User Productivity, and Emotion. It appears that there may be a slight decrease in the effects of viruses on productivity and on data corruption, perhaps natural results of our increased experience with them. But the emotional effects of viruses have not been reduced over the past three years.

Table 6. Effects of Viruses on Data Corruption, User Productivity, and Emotion, 1996-1998

1996 1997 1998

Corruption 52% 45% 46%Emotion 5% 14% 12%

Productivity 54% 46% 42%

Figure 12. Effects of Viruses on Data Corruption, User Productivity, and Emotion, 1996-1998

23



How Many PCs Were Affected by Incident?One of the most costly effects of a virus incident is the disruption caused by the investigation process required to determine the severity of the virus encounter or incident and isolate which PCs were affected. It is not unusual for an entire network to be shut down only to find the virus was isolated to one or two PCs in the group. After the researcher had learned about the name of the virus in the most recent disaster, respondents were asked:

"How many PCs were initially suspected of having the virus?"

"How many PCs were actually found to be infected?"

The same questions were posed for servers suspected of being infected and those actually infected by the most recent virus incident.

Results are shown in Table 7 and Figure 13. The average incident infected 121 PCs and 5.5 servers, about the same as the 1996 levels.

Table 7. PCs and Servers Suspected/Actually Infected During Most Recent Incident, 1996-1998

’96Suspected

’96Actual

’97Suspected

’97Actual

'98Suspected

'98Actual

PC 131 135 94.6 107 81.1 121.2

Server 1.6 5.4 7.64 1.81 5.2 5.5

Figure 13. PCs and Servers Suspected/Actually Infected During Most Recent Incident, 1996-1998

24



What Are the Financial Costs of Viruses?This survey, like those previously, looked at some of the costs of a virus "disaster".12

Costs Per IncidentFor the 36% of sites that experienced virus disasters, servers were down an average of 43 minutes. Most servers were not down at all, and the longest downtime was 48 hours. This reduction in downtime of servers may be the effect of organizations learning that shutting down a server is often neither necessary nor helpful in removing most viruses. Complete recovery took an average of 45.6 hours, 9.4 person-days of work, and an average of $2,454 in self-proclaimed costs.

These distributions are all "skewed", meaning that the mean does not fully describe the central tendency. For instance, with estimated cost of recovery, 48% of 1998 respondents indicated zero dollars as the cost, but one estimated a cost as high as $150,000 for a single computer virus incident.

The results for 1997 and 1996 differ a bit13, as may be seen in Table 8. Cost Comparison of Disasters, 1996-1998 and Figure 14. Cost Comparison of Disasters, 1996-1998. In the period 1996-1998, server downtime in a disaster has dropped as has the estimated financial cost per incident, but time to recover and person days lost has remained constant per incident.

Table 8. Cost Comparison of Disasters, 1996-1998

Cost 1996 1997 1998Server Down-time (minutes) 348 40 43

Time to Recovery (hours) 44 44 45.6 Person Days Lost 10 22 9.4

Financial Cost $8,100 8,366 2,454

Figure 14. Cost Comparison of Disasters, 1996-1998

25



We suspect that these figures underestimate the true costs of the incident. Most respondents were either analyst or manager levels in their organization and would not customarily consider all of the related costs of productivity, loss of business, and other costs of down-time.

Usage of Anti-Virus Products

Overall Level of UsageVirtually all respondents had one or more different anti-virus products available to them. It should be noted that a probable bias exists toward increased use of anti-virus products among survey respondents compared with non-respondents (see site selection bias, page 10). But there may be another bias – to look good to the interviewer, and inflate the number of protected machines. Both biases would suggest that the actual installed base may be lower than the reported figures.

To examine this, we asked “What percentage of desktop PCs have anti-virus software installed, but not running?” Of the 269 respondents who answered this question, an average of 3.5% of desktop PCs were believed to have anti-virus software installed but not running. As Figure 15. Distribution of Percentage of Desktop PCs with No Virus Protection Running shows, nearly all organizations answering this question reported that 100% of their desktop PCs had virus protection running.

Figure 15. Distribution of Percentage of Desktop PCs with No Virus Protection Running

Anti-Virus Methods EmployedRespondents were asked to estimate the percentage of PCs that were protected by each of several methods: respondents could choose more than one answer. Table 9 and Figure 16 shows results for 1997 and 1998. Overall, about three protection methods were used per machine in 1997, about 2.4 methods in 1998. Full-time background scans have increased in

26



popularity, but other methods appear to have declined in popularity. We note that the increased use of Windows 95 (see Table 22, page 62) makes such a form of protection more feasible than it was in the memory-hungry days of DOS and Windows 3.x.

Table 9. Desktop Virus Protection Methods Reported Used, 1997-1998

Protection 1997 1998Users check diskettes and downloads for viruses. 64% 46%

Anti-virus software scans every boot-up 68% 63%Anti-virus software scans every login 39% 32%

Anti-virus software scans full time in the background 60% 70%Other periodic anti-virus detection on the desktop 41% 19%Other full-time anti-virus detection on the desktop 20% 10%

Other (specify) 5% 1%None 1% <1%

Don’t know <1% <1%

Figure 16. Desktop Virus Protection Methods Reported Used, 1997-1998

A closer look at desktop protection methods finds that in 1997, only 16% of respondents used only one of the above methods of protection, but that by 1998, this had increased to 30%. In general, the past year has witnessed a consolidation of anti-virus techniques used. The distribution of respondents on this question, showing the number of methods used, is provided in Table 10. Number of Desktop Protection Methods Used, 1997-1998.

Table 10. Number of Desktop Protection Methods Used, 1997-1998

Number of Methods 1997 19981 16% 30%2 19% 25%3 32% 24%4 19% 17%5 11% 2%6 3% 2%

27



Effectiveness of Desktop Protection ApproachesWe were interested in determining if there is a relationship between the method of protection used and infection rate. To estimate infection rate, we divided the number of reported virus encounters in February 1997 with the number of machines for which the respondent was responsible. With this number, we correlated the percentage of machines using a given method. [Table 11]

No correlation is large enough to be statistically significant with this sample size. These small correlations occur because, while an effective method may result in fewer disasters, it may not prevent introduction of viruses to a machine. Moreover, it facilitates detection of an introduced virus thus increasing reported incidents.

Table 11. Effectiveness in Virus Prevention, Desktop Encounters 1997

Protection Correlation

Users check diskettes and downloads for viruses. -.03

Anti-virus software scans every boot-up -.03

Anti-virus software scans every login +.05

Anti-virus software scans full time in the background +.02

Other periodic anti-virus detection on the desktop -.10

Other full-time anti-virus detection on the desktop -.07

To examine this, we looked at virus disasters. Our measure of disaster was the number of months since the most recent disaster. Respondents not reporting a disaster were not considered. Results are shown in Table 12. A positive correlation means that the greater the percentage of desktop machines protected with this method, the longer the interval since the most recent disaster. As can be seen, most correlations are small but negative, suggesting that none of the methods is effective in preventing disaster. We have trouble believing this interpretation. A more likely explanation is that a disaster triggers use of one or more methods, resulting in the negative correlations.

Table 12. Effectiveness in Averting Disasters, 1997

Protection Correlation

Users check diskettes and downloads for viruses. -.12

Anti-virus software scans every boot-up -.06

Anti-virus software scans every login -.09

Anti-virus software scans full time in the background -.15

Other periodic anti-virus detection on the desktop -.01

Other full-time anti-virus detection on the desktop .03

28



Server Protection MethodsAnalogously, respondents were asked the number of servers that used periodic (anti-virus software scans server hard drive periodically), or full-time (anti-virus software scans hard drive for viruses full time in the background) scans on file and application servers. Results are shown in Table 13. Server Virus Protection Methods Used, 1997-1998. It would appear that just as the full-time background scan has become the method of choice on the desktop, it is also the choice on the server. As with desktop protection, there has been a consolidation of methods in the past year, with background scanning becoming more popular, while other methods have become less popular.

Table 13. Server Virus Protection Methods Used, 1997-1998

Protection 1997 1998

Anti-virus software scans periodically 56% 41%

Anti-virus software scans full time in the background 54% 64%

Other (specify) 7% 2%

None 11% <1%

Don’t know 3% 6%

Refused <1% <1%

Another means of examining server protection is to ask what percentage of servers were only protected by periodic scans, what percentage were only protected by full-time background scans, and what percentage used both methods.

Table 14. Percent of Servers Running Periodic Scans, Full-time Scans, or Both, 1997-1998 shows that in the past year, periodic scans have fallen from favor, as has reliance on two methods. Full-time background scans are now the method of choice.

Table 14. Percent of Servers Running Periodic Scans, Full-time Scans, or Both, 1997-1998

1997 1998

Periodic Only 40% 29%

Full-Time Only 32% 56%

Both 28% 15%

29



Figure 17. Percent of Servers Running Periodic Scans, Full-time Scans, or Both, 1997-1998

E-Mail GatewaysWith the advent of macro viruses, careful monitoring of e-mail attachments has become more critical than ever. In the past, any infected file or boot virus dropper could be sent as an e-mail attachment. Double clicking on it in Windows 95 might invoke the program, or invoke an extraction utility such as WinZip. Once executed, the file virus would be able to gain control of the machine. (The boot virus dropper would fail under Windows 95, however, which blocks writes to the boot area while it is running.) However, documents are attached to e-mail far more often than program files, and Word documents are now home to Word macro viruses. While users can still extract documents and manually scan them for macro viruses, e-mail gateways that monitor attachments are becoming a good idea. Of course, they will not be able to see a virus in an attachment that is zipped and password-protected, or that is in an attachment that uses a “non-standard” compression approach. Nonetheless, this approach is gaining acceptance. We asked the question, “What percentage of e-mail gateways have full-time anti-virus software installed now?” In 1997, five out of six respondents answered this question, with a mean of 29% gateways protected. In 1998, this percentage had climbed to 39%. (see Table 15 and Figure 18.)

Proxy Servers and FirewallsSeparating the inside of the organization from the outside world is the job of proxy servers and firewalls. Because viruses can pass through network connections, virus detection added to these protection tools is on the increase. The survey asked the percentage of these devices with full-time virus screening. Results are shown in Table 15. Both Proxy Servers and Firewalls more often have anti-virus capability today than a year ago, but this change is not as dramatic as with e-mail gateways.

Table 15. E-mail, proxy servers, and firewalls with virus protection, 1997-1998

Protected Device 1997 1998

e-mail gateways protected 29.2% 39.1%

Proxy servers protected 24.5% 26.0%

Firewalls protected 29.4% 33.1%

30



Figure 18. E-mail, proxy servers, and firewalls with virus protection, 1997-1998

Since viruses generally come to a site unexpectedly from the outside, it is expected that sites with good protection will have about the same number of virus incidents or encounters as those with poor protection. However, sites with good protection should be successful at preventing an encounter from a virus from becoming a incident. That is, good protection should limit the number of PCs, files, or diskettes infected by a virus after it encounters the site.

New macro viruses apparently caused incidents even in sites with full-time protection installed. This can most likely be attributed to one or more of the following:

a) new strains of such virusesb) some anti-virus vendors may have taken a longer time to implement adequate full-

time protection in their productsc) the time frame for vendors to provide updates for productsd) improperly configured full-time protectione) respondent sites take too long to update their protective software

It is clear that increased full-time protection, especially at the desktop is needed. Smaller organizations and home and small business PCs are probably less likely to have good, virus protection strategies as the organizations in this survey who averaged over 1,900 PCs, most of which also had a “computer virus expert” on staff. Getting the full time protection of both desktop PCs and servers over 60% for all classes of users is an appropriate goal to severely cripple computer virus survival in the world-wide computing environment.

The InternetThis year's survey asked a number of interesting questions regarding use of the Internet and associated risks. In this section, we present these findings.

31



How Important is the Internet to Employee Work?We asked the question "How do you characterize the importance of the Internet to the work done by your employees?" Results are shown in Table 16. Four out of five respondents rated the Internet as Important or Mission Critical to employee work.

Table 16. Internet Importance in Employee Work, 1998

Importance of Internet

Not Important 3%Not Essential 13%

Important 62%Mission Critical 21%

Figure 19. Internet Importance in Employee Work, 1998

How High a Threat Posed by Java, ActiveX, etc.?We asked "How would you characterize the threat to computing security posed by malicious auto-executable code (i.e. Java Applets, cookies, ActiveX, controls, etc.)?" Results are shown in Table 17. About 75% felt that such active code constituted a moderate or high threat.

Table 17. Perceived Threat from ActiveX, Java, etc.

Threat Level

High 25%Moderate 47%

Low 23%None 3%

32



Figure 20. Perceived Threat from ActiveX, Java, etc.

Has Malicious Active Code Breached Security?We asked "Has your company experienced an attack or breach in security associated with malicious auto-executable code?" Results are shown in Table 18. Six percent of respondents indicated that their organization had experienced an attack from such code. This value is low, especially when one considers the percentage of respondents whose organizations have been infected by a virus (>99%). However, considering the relative recentness of malicious or hostile auto-executable code threats, the paucity of detection technology, and the lack awareness of the possible vulnerabilities, it was somewhat surprising to receive even this small number of affirmative answers.

Table 18. Has Active Mobile Code Breached Corporate Security?

Active Mobile Code Breached Security?

Yes 6%

No 88%

Don't Know 4%

Figure 21. Has Active Mobile Code Breached Corporate Security?

33



Do you have a Java/ActiveX Security Policy?Error! Bookmark not defined.We asked "Do you currently have a policy on the use of Java Applets or ActiveX controls in your business?" Responses are shown in Table 19. Over a quarter of respondents currently have such a policy in place. We suspect that in the next year, this percentage will climb much higher.

Table 19. Do you have a Java/ActiveX Security Policy?

Do you have a Java/ActiveX Security Policy?

Yes 27%

No 68%

Don't Know 5%

Figure 22. Do you have a Java/ActiveX Security Policy?

What is your Java/ActiveX Policy?For the 27% of respondents with a Java/ActiveX security policy, we asked what that policy was. Findings are shown in .

34



Table 20. What is Your Java/ActiveX Policy?

Allow Trusted Java Applets 21%

Allow Untrusted Java Applets 18%

Do Not Allow Any Java Applets 33%

Don't Know about Java Applets 16%

Allow Signed ActiveX Controls 14%

Allow Unsigned ActiveX Controls 9%

Do Not Allow Any ActiveX Controls 39%

Don't Know about ActiveX Controls 25%

Figure 23. What is Your Java/ActiveX Policy?

35



Because these findings are based on only 27% of our respondents -- those with a policy -- they must be viewed tentatively. However, several tentative observations are in order:.

Nearly as many respondents (33%) do not allow any Java applets as allow them (39%); more respondents (39%) do not allow any ActiveX controls than allow them (23%). Suspicions about such active mobile code run high.

There appears to be more concern for security in the case of ActiveX controls than of Java applets. About 39% of respondents allow some sort of Java applets, whereas only 21% allow some sort of ActiveX controls. This seems a sensible security strategy and probably occurs due to the differing security models adopted by their respective developers.14

36



Appendix A: Questionnaire

ICSA VIRUS PREVALENCE SURVEY

3/15/98

S1. Survey calling dialogue:

Date:_______________________________

(INTRO) Good [morning/afternoon/evening]. May I speak with [Respondent]?

CONTINUE WHEN CONNECTED-

Hello, this is [intvw] from Gantz Wiley calling on behalf of the International Computer Security Association (ICSA), formerly the National Computer Security Association, to gather some confidential information about computer viruses. The information from this study will be published to better educate the business community I understand that you are responsible for computer virus management at your site.

PARTIAL SURVEYS:

Our records indicate that we contacted you previously, but we were not able to complete the survey. Do you have time now to answer a few more questions?

APPOINTMENTS:

We contacted your establishment previously and it was suggested that you might be available to take our survey at this time. Do you have time now to answer a few questions?

MISSED APPOINTMENTS:

We were unable to reach you at our scheduled appointment time. Do you have time now to answer a few questions?

START SURVEY:

Do you have a few minutes now, or would another time be more convenient?

S2 How many personal computers in North America are you responsible for in terms of virus nowledge, prevention, and software? __________Dk Ref

37



(If less than 200, terminate)

38



S2a Which desktop PC operating systems does your organization have running? __________Dk Ref

How many desktop PCs run each system? __________Dk Ref

OS # of PCs

DOS only, no Windows

1

Windows 3.1 2

Windows 95 3

Windows NT 4

OS/2 5

Macintosh 6

Unix 7

Other (specify) 8

None 9

Don’t know 10

Refused 11

S3. How many file and application servers are you responsible for in terms of virus knowledge, prevention and software? __________Dk Ref

S3a. Which LAN server operating systems does your organization have running? __________Dk Ref

How many servers run each system? __________Dk Ref

NOS # of servers

Novell NetWare 3.x 1

Novell NetWare 4.x 2

Windows NT 3

IBM OS/2 LAN Server 4

IBM LAN Server 5

Banyan Vines 6

Unix 7

Other (specify) 8

None 9

Don’t know 10

Refused 11

39



1. Does your organization have a formal virus tracking procedure?

Yes 1

No 2

Don’t know 3

Refused 4

2. What percent of virus incidents in your group are you informed of or likely to know about?

__________Dk Ref

3. To the best of your knowledge, has a computer virus ever been discovered in any PC, diskette or file in your organization?

Yes 1

No (skip to Q9) 2

Don’t know 3

Refused 4

For the remainder of the survey a “virus encounter” will be defined as an event or incident where viruses were discovered on any PCs diskettes or files

4a-e. How many virus encounters did you have during:

February 1998 __________Dk Ref

January 1998 __________Dk Ref

Second half of 1997 (July-December) __________Dk Ref

First half of 1997 (January-June) __________Dk Ref

All of 1996 __________Dk Ref

5a. Which viruses have affected your group’s PCs during 1998?

How many times?

5b. Which viruses affected your group’s PCs during the second half of 1997 (July-December)?

How many times?

5c. Which viruses affected your group’s PCs during the first half of 1997 (January-June)?

How many times?

40



For the remainder of the survey

the word “group” refers to those PCs and servers for which you are responsible

5d. Compared to this time last year, do you feel virus problem in the computing industry is: (read list)

Much worse 1

Somewhat worse 2

About the same 3

Somewhat better 4

Much better 5

Don’t know 6

Refused 7

5e. Compared to this time last year, do you feel MS Word Macro Virus problem in the computing industry is: (read list)

Much worse 1

Somewhat worse 2

About the same 3

Somewhat better 4

Much better 5

Don’t know 6

Refused 7

5f. Compared to this time last year, do you feel the MS Excel Macro Virus problem in the computing industry is: (read list)

Much worse 1

Somewhat worse 2

About the same 3

Somewhat better 4

Much better 5

Don’t know 6

Refused 7

41



For the remainder of the survey a “virus disaster” will be defined as a virus encounter where a minimum of 25 PCs, diskettes or files were infected by the same virus at relatively the same time.

6. Has your group had a virus disaster anytime since January 1997?

Yes 1

No (skip to Q7) 2

Don’t know 3

Refused 4

6a. When was the month and year of your most recent disaster?

January 1998 1

February 1998 2

March 1997 3

January 1997 4

February 1997 5

March 1997 6

April 1997 7

May 1997 8

June 1997 9

July 1997 10

August 1997 11

September 1997 12

October 1997 13

November 1997 14

December 1997 15

Don’t know 16

Refused 17

6b. What was the name of the virus in your most recent disaster?

6c. How many PCs were initially suspected of having the _____________virus?__________Dk Ref

6d. How many PCs actually were found to be infected? __________Dk Ref

42



6e. How many SERVERS were initially suspected of having the virus? __________Dk Ref

6f. How many SERVERS actually were found to be infected? __________Dk Ref

6g. How long were any servers “down” while dealing with the disaster? (svr hours) _______Dk Ref

6h. How long did it take for your group to completely recover? (hours) __________Dk Ref

6i. How many person days did the disaster cost your group? __________Dk Ref

6j. How many dollars did the disaster cost your group? __________Dk Ref

7. Which of the following effects occurred in your group with the most recent virus disaster or encounter? (Read the list) (Check all that apply)

Loss of user confidence in the system 1

Threat of someone losing their job 2

Loss of productivity (machine, applications or data not available for some time) 3

Screen message, interference, or lockup 4

Lost data 5

Corrupted files 6

Loss of access to data (ie. on server, host, mainframe, etc.) 7

Unreliable applications 8

PC was unavailable to the user 9

System crash 10

Trouble saving files 11

Trouble reading files 12

Trouble printing 13

Other (specify) 14

None 15

Don’t know 16

Refused 17

8. How did your most recent virus disaster or encounter come to your site? (Check all that apply)

A diskette, sales demo or similar 1

A diskette, repair/ service person 2

A diskette, LAN manager / supervisor 3

A diskette, shrink-wrapped software 4

A diskette, malicious person intentionally planted it 5

43



A diskette, brought from someone’s home 6

A diskette, other 7

On a distribution CD 8

A download from BBS, AOL, CompuServe, Internet, etc. 9

Other download (terminal emulation, client server) 10

Via e-mail as an attachment 11

Via an automated software distribution 12

While browsing the World Wide Web 13

Other (specify) 14

None 15

Don’t know 16

Refused 17

9a Which anti-virus products are you running at the desktop PC level? How many desktop PCs are running each product?

9b. Which anti-virus products are you running at the server level? How many servers are running each product?

10a) On the desktop PC level, which of the following anti-virus software protection methods are used? How many PCs use each method? (Read the list)

Protection Methods # of PCs

Users check diskettes and downloads for viruses. 1

Anti-virus software scans hard drive for viruses every boot-up 2

Anti-virus software scans hard drive for viruses every login 3

Anti-virus software scans hard drive for viruses full time in the background 4

Other periodic anti-virus detection on the desktop 5

Other full-time anti-virus detection on the desktop 6

Other (specify) 7

None 8

Don’t know 9

Refused 10

44



10b) On the file server level, which of the following anti-virus software protection methods are used? How many servers use each method? (Read the list)

Protection Methods # of Servers

Anti-virus software scans hard drive for viruses periodically 1

Anti-virus software scans hard drive for viruses full time in the background 2

Other (specify) 3

None 4

Don’t know 5

Refused 6

10c. What percentage of e-mail gateways have full-time anti-virus software installed now?

___________ Dk Ref

10d. What percentage of proxy servers have full time anti-virus software installed now?

____________ Dk Ref

10e. What percentage of firewalls have anti-virus software installed now? ____________ Dk Ref

10f. What percentage of desktop PC’s have NO anti-virus software installed? ____________ Dk Ref

10g. What percentage of desktop PC’s have anti-virus software installed, but not running?

____________ Dk Ref

45



11. What department are you in?

Accounting / Finance 1

Customer Service/Support 2

Data Processing 3

Education / Training 4

Engineering 5

General Administration / Management 6

Manufacturing / Production 7

Research & Development 8

MIS/IS (Management Information Systems) 9

Personnel / Human Resources 10

Public relations / Communications 11

Purchasing 12

Sales / Marketing 13

Other (specify) 14

None 15

Don’t know 16

Refused 17

12. What is your job title?

Director of Data Processing / Information Systems 1

Director of Computer Security 2

Manager of Data Processing 3

Manager of MIS/IS 4

Manager of Computer Security 5

Systems Analyst/Programmer 6

Support Specialist 7

Systems Manager/ PC Network /LAN Manager 8

Other (specify) 9

None 10

Don’t know 11

Refused 12

46



13. What is your organization’s primary line of business?

Accounting 1

Agriculture 2

Business Services 3

Communications 4

Construction 5

Education 6

Engineering 7

Finance 8

Government 9

Healthcare 10

Insurance 11

Legal 12

Manufacturing 13

Mining 14

Non-Profit 15

Professional Services 16

Real Estate 17

Retail 18

Transportation 19

Utilities 20

Wholesale 21

Other (specify) 22

Don’t know 23

Refused 24

M1 How do you characterize the importance of the Internet to the work done by your employees?

Mission Critical 1

Important 2

Not Essential 3

Not Important 4

47



M2 How would you characterize the threat to computing security posed by malicious auto-executable code (i.e. Java applets, cookies, ActiveX, controls, etc)?

High Threat 1

Moderate Threat 2

Low Threat 3

No Threat 4

M3 Has your company experienced an attack or breach in security associated with malicious auto-executable code (NOTE: Your company identity is kept completely confidential)?

Yes 1

No 2

Don’t know 3

Refused 4

M4 Do you currently have a policy on the use of Java applets or ActiveX Controls in your business?

Yes 1

No 2

Don’t know 3

Refused 4

M5 If the answer to M4 is yes, what is the policy?

For Java Applets Allow Trusted Java Applets 1

Allow Untrusted Java Applets 2

Do not Allow Any Java Applets 3

Don’t know 4

For ActiveX Controls Allow Signed ActiveX Controls 5

Allow Unsigned ActiveX Controls 6

Do not Allow Any ActiveX Controls 7

Don’t know 8

Refused 9

|(END) Those are all the questions I have for you today. Thank you so much for helping us and answering my questions. Have a nice day!

48



Appendix B: Tabulations by Question

The Tabulations(S2) How many personal computers in North America are you responsible for in terms of virus

knowledge, prevention, and software?Number of Respondents: 300Number of Machines: 581,458High: 30,000Low: 200Don’t Know: 0Mean: 1938.19Standard Deviation: 2975.24

If they aren't responsible for over 200 PCs, - We are currently surveying those with a greater number of PCs. Thank you for your time.

(S2A1) Which desktop operating systems does your organization have running? (READ LIST)DOS Only (No Windows) 300 49 16.3%Windows 3.1 162 54.0%Windows 95 266 88.7%Windows NT 218 72.7%OS/2 38 12.7%Macintosh 45 15.0%UNIX. 43 14.3%Other (Specify OS) 25 8.3%None of the Above 0 0.0%Don't Know 0 0.0%Refused 0 0.0%

(S3) How many file and application servers are you responsible for in terms of virus knowledge, prevention, and software?

Number of Respondents: 300Number of Machines: 12,122High: 900Low: 2Don’t Know: 6Mean: 40.38Standard Deviation: 80.38

49



(S3A1) Which LAN server operating systems does your organization have running? (READ LIST)Novell NetWare 3.X 300 120 40.0%Novell NetWare 4.X 172 57.3%Windows NT 224 74.7%IBM OS/2 LAN Server 18 6.0%IBM LAN Server 4 1.3%Banyan Vines 15 5.0%UNIX. 49 16.3%Other (Specify OS) 21 7.0%None of the Above 0 0.0%Don't Know 4 1.3%Refused 1 0.3%

(Q1) Does your organization have a formal virus tracking procedure?Yes 300 188 62.7%No 110 36.7%Don't Know 2 0.7%Refused 0 0.0%

(Q2) What percent of virus incidents in your group are you likely to know about?Average 76.04Standard Deviation 34.17

(Q3) To the best of your knowledge, has a computer virus ever been discovered in any PC, diskette, or file in your organization?

Yes 300 297 99.0%No 2 0.7%Don't Know 0 0.0%Refused 1 0.3%

If they have had a virus.

For the remainder of the survey a "virus encounter" will be defined as an event or incident where viruses were discovered on any PCs diskettes or files.

(Q4A) How many virus encounters did you have during February 1998?High 2000Don’t Know 55Refused 4Median 31.36Standard Deviation 133.57

(Q4B) How many virus encounters did you have during January 1998?High 2000Don’t Know 64Refused 4Median 32.34Standard Deviation 146.72

50



(Q4C) How many virus encounters did you have during the second half of 1997 (July-December)?High 30,000Don’t Know 82Refused 4MedianStandard Deviation

(Q4D) How many virus encounters did you have during the first half of 1997 (January-June)?High 20,000Don’t Know 116Refused 4Median 165.70Standard Deviation 1201.34

(Q4E) How many virus encounters did you have during all of 1996?High 5,000Don’t Know 166Refused 4Median 106.17Standard Deviation 461.55

If they had an encounter in 1998.

(Q5A1)Which viruses have affected your group's PCs during 1998? (DO NOT READ/PROBE FOR ALL) AntiCMOS 199 27 13.6%AntiEXE 23 11.6%EXEbug 2 1.0%Form 25 12.6%Junkie 5 2.5%Maverick 1 0.5%Monkey 35 17.6%NYB 23 11.6%ParityB 2 1.0%Ripper 3 1.5%Sampo 1 0.5%Stealth B or C 35 17.6%WelcomB 4 2.0%WM Appdr 2 1.0%WM CAP 52 26.1%WM Colors 1 0.5%WM Concept 65 32.7%WM Goldfish 1 0.5%WM Imposter 2 1.0%WM Johnny 6 3.0%WM Lunch 2 1.0%WM NiceDay 2 1.0%WM Npad 10 5.0%WM Paycheck 1 0.5%WM Temple 2 1.0%WM Wazzu 44 22.1%XM Laroux 32 16.1%Other (Specify Virus) 60 30.2%None Found 2 1.0%Don't Know 11 5.5%

51



Refused 0 0.0%

If they had an encounter in the second half of 1997.

(Q5B1)Which viruses have affected your group's PCs during the second half of 1997 (July-December)? (DO NOT READ/PROBE FOR ALL)

AntiCMOS 197 18 9.1%AntiEXE 17 8.6%EXEbug 2 1.0%Form 33 16.8%Junkie 2 1.0%Maverick 2 1.0%Monkey 33 16.8%NATAS 4 2.0%NYB 18 9.1%ParityB 1 0.5%Quandary 1 0.5%Ripper 4 2.0%Stealth B or C 32 16.2%WelcomB 3 1.5%WM Appdr 2 1.0%WM CAP 29 14.7%WM Concept 61 31.0%WM Imposter 2 1.0%WM Johnny 2 1.0%WM Lunch 2 1.0%WM NiceDay 1 0.5%WM Npad 5 2.5%WM Paycheck 1 0.5%WM Wazzu 41 20.8%XM Laroux 21 10.7%Other (Specify Virus) 49 24.9%None Found 1 0.5%Don't Know 37 18.8%Refused 2 1.0%

If they had an encounter in the first half of 1997.

(Q5C1)Which viruses have affected your group's PCs during the first half of 1997 (January-June)?(DO NOT READ/PROBE FOR ALL)

AntiCMOS 161 17 10.6%AntiEXE 16 9.9%Form 25 15.5%Junkie 2 1.2%Maverick 2 1.2%Monkey 22 13.7%NATAS 3 1.9%NYB 14 8.7%Ripper 3 1.9%Stealth B or C 25 15.5%WelcomB 3 1.9%WM Appdr 2 1.2%WM CAP 22 13.7%WM Concept 54 33.5%

52



WM Imposter 2 1.2%WM Johnny 1 0.6%WM Lunch 2 1.2%WM NiceDay 1 0.6%WM Npad 6 3.7%WM Showoff 1 0.6%WM Wazzu 40 24.8%XM Laroux 16 9.9%Other (Specify Virus) 33 20.5%None Found 1 0.6%Don't Know 32 19.9%Refused 1 0.6%

For the remainder of the survey, the word "group" refers to

those PCs and servers for which you are responsible.

(Q5D) Compared to this time last year, do you feel virus problem in the computing industry is: (READ LIST)

Much Worse 297 23 7.7%Somewhat Worse 42 14.1%About the Same 115 38.7%Somewhat Better 67 22.6%Much Better 48 16.2%Don't Know 2 0.7%Refused 0 0.0%

|(Q5E) Compared to this time last year, do you feel MS Word Macro virus problems in the computing industry are: (READ LIST)


|

(Q5F) Compared to this time last year, do you feel MS Excel Macro virus problems in the computing industry are: (READ LIST)


53



For the remainder of the survey, a "virus disaster" will be defined as a virus encounter where a minimum of 25 PCs, diskettes, or files were infected by the same

virus at relatively the same time.

(Q6) Has your group had a virus disaster anytime since January 1997?Yes 297 110 37.0%No 181 60.9%Don't Know 3 1.0%Refused 3 1.0%

If they have had a virus disaster

(Q6A) What was the month and year of your most recent disaster? (DO NOT READ/CLARIFY FOR A SINGLE RESPONSE)

January 1998. 110 8 7.3%February 1998 11 10.0%March 1998. 24 21.8%January 1997 1 0.9%February 1997. 4 3.6%March 1997. 2 1.8%April 1997 2 1.8%May 1997 2 1.8%June 1997 3 2.7%July 1997 3 2.7%August 1997 7 6.4%September 1997 5 4.5%October 1997 10 9.1%November 1997 9 8.2%December 1997 9 8.2%Don't Know 10 9.1%Refused 0 0.0%

(Q6B) What was the name of the virus in you most recent disaster? (DO NOT READ)AntiEXE 1 0.9%Form 2 1.8%Maverick 1 0.9%Monkey 5 4.5%NYB 3 2.7%WM Appdr 1 0.9%WM CAP 21 19.1%WM Concept 22 20.0%WM Imposter 1 0.9%WM Showoff 1 0.9%WM Wazzu 9 8.2%XM Laroux 18 16.4%Other (Specify Virus 17 15.5%None Found 0 0.0%Don't Know 8 7.3%Refused 0 0.0%

|

54



(Q6C) How many PCs were initially suspected of having the [Q6b] virus?High 1,500.00Low 1.00Mean 81.05Standard Deviation 193.74

|(Q6D) How many PCs were actually found to be infected?High 3,500.00Low 1.00Mean 121.21Standard Deviation 393.75

(Q6E) How many Servers were initially suspected of having the [Q6b] virus?High 200.00Low 1.00Mean 5.20Standard Deviation 22.10

|(Q6F) How many Servers were actually found to be infected?High 200.00Low 1.00Mean 5.50Standard Deviation 22.09

(Q6G) How long were any servers "down" while dealing with the disaster? (RECORD IN SERVER HOURS)

High 48.00Low 0.00Mean .72Standard Deviation 5.10

(Q6H) How long did it take for your group to completely recover? (RECORD IN HOUR INCREMENTS)High 1,000.00Low 1.00Mean 45.65Standard Deviation 114.92

(Q6I) How many person days did the disaster cost your group? (CUMULATIVE TOTAL)High 160.00Low 0.00Mean 9.40Standard Deviation 22.66

(Q6J) How many dollars did the disaster cost your group?High $150,000.00Low $10.00Mean $2,454.61Standard Deviation $15,017.17

55



(Q7) Which of the following effects occurred in your group with the most recent virus disaster or encounter? (READ LIST)

Loss of user confidence in the system 297 55 18.5%Threat of someone losing their job 11 3.7%Loss of productivity 213 71.7%Screen message, interface, or lockup 172 57.9%Lost data 92 31.0%Corrupted files 169 56.9%Loss of access to data (i.e. on Server,etc) 111 37.4%Unreliable applications 72 24.2%PC was unavailable to the user 169 56.9%System crash 59 19.9%Trouble saving files 136 45.8%Trouble reading files 149 50.2%Trouble printing 72 24.2%Other (Specify Effect) 3 1.0%No Effects 17 5.7%Don't Know 2 0.7%Refused 1 0.3%

(Q8) How did your most recent virus disaster or encounter come to your site? (READ LIST/PROBE FOR ALL)

A diskette, demo or similar 297 13 4.4%A diskette, repair/service person 9 3.0%A diskette, LAN manager 2 0.7%A diskette, shrink-wrapped software 5 1.7%A diskette, malicious person 3 1.0%A diskette, brought from someone's home 107 36.0%A diskette, other 61 20.5%On a distribution CD 5 1.7%A download from BBS, AOL, CompuServe, 28 9.4%Other download 9 3.0%Via Email as an attachment 96 32.3%Via an automated software distribution 4 1.3%While browsing the World Wide Web 6 2.0%Other (Specify Source) 2 0.7%None Specified 12 4.0%Don't Know 16 5.4%Refused 2 0.7%

If they are running anti-virus software.

(Q10A1)On the desktop PC level, which of the following anti-virus software protection methods are used? (READ LIST)

Users check diskettes and downloads 298 137 46.0%Anti-virus software scans hard drive on boot-up 188 63.1%Anti-virus software scans for viruses periodically 96 32.2%Anti-virus software scans for viruses full-time 207 69.5%Other periodic anti-virus detection 57 19.1%Other full-time anti-virus detection 29 9.7%Other (Describe method) 4 1.3%No Method in Place 1 0.3%Don't Know 1 0.3%Refused 0 0.0%

56



If they use anti-virus software on servers.

(Q10B1)On the file server level, which of the following anti-virus software protection methods are used? (READ LIST)

Scans HD for viruses periodically 275 111 40.4%Scans full-time in the background 177 64.4%Other (Specify Methods) 5 1.8%No Method Used 1 0.4%Don't Know 17 6.2%Refused 1 0.4%

(Q10C)What percentage of e-mail gateways have full-time anti-virus software installed now?Mean 39.05Standard Deviation 48.12

(Q10D)What percentage of proxy servers have full-time anti-virus software installed now?

Mean 26.02Standard Deviation 43.86

(Q10E) What percentage of firewalls have anti-virus software installed now? Mean 33.10Standard Deviation 47.05

(Q10F) What percentage of desktop PCs have NO anti-virus software installed?Mean 12.14Standard Deviation 23.73

(Q10G)What percentage of desktop PCs have anti-virus software installed, but not running?Mean 3.47Standard Deviation 13.01

(Q11) What department are you in?Accounting/Finance 300 1 0.3%Customer Service/Support 0 0.0%Data Processing 5 1.7%Education/Training 0 0.0%Engineering 3 1.0%General Administration/Management 1 0.3%Manufacturing/Production 0 0.0%Research & Development 1 0.3%MIS/IS 248 82.7%Personnel/Human Resources 0 0.0%Public Relations/Communications 0 0.0%Purchasing 0 0.0%Sales/Marketing 0 0.0%Other (Specify Department) 41 13.7%No Specific Department 0 0.0%Don't Know 0 0.0%Refused 0 0.0%

57



(Q12) What is your job title? (DO NOT READ)Director of Data Processing/IS 300 11 3.7%Director of Computer Security 8 2.7%Manager of Data Processing 4 1.3%Manager of MIS/IS 28 9.3%Manager of Computer Security 15 5.0%Systems Analyst/Programmer 26 8.7%Support Specialist 15 5.0%Systems Mgr/Network/LAN Mgr 61 20.3%Other (Specify Title) 132 44.0%No Title Specified 0 0.0%Don't Know 0 0.0%Refused 0 0.0%

(Q13) What is your organization's primary line of business? DO NOT READ Accounting 300 3 1.0%Agriculture 0 0.0%Business Services 5 1.7%Communications 7 2.3%Construction 0 0.0%Education 3 1.0%Engineering 8 2.7%Finance 18 6.0%Government 93 31.0%Healthcare 53 17.7%Insurance 13 4.3%Legal 5 1.7%Manufacturing 35 11.7%Mining 1 0.3%NonProfit 1 0.3%Professional Services 8 2.7%Real Estate 0 0.0%Retail 3 1.0%Transportation 3 1.0%Utilities 11 3.7%Wholesale 2 0.7%Other (Specify Industry) 27 9.0%Don't Know 0 0.0%Refused 1 0.3%

(M1) How do you characterize the importance of the Internet to the work done by your employees?

(READ LIST)Not Important 300 9 3.0%Not Essential 40 13.3%Important 186 62.0%Mission Critical 63 21.0%Don't Know 2 0.7%Refused 0 0.0%

58



(M2) How would you characterize the threat to computing security posed by malicious auto-executable code (i.e. Java Applets, cookies, ActiveX, controls, etc.)? READ LIST

High Threat 300 75 25.0%Moderate Threat 142 47.3%Low Threat 70 23.3%No Threat 9 3.0%Don't Know 4 1.3%Refused 0 0.0%

(M3) Has your company experienced an attack or breach in security associated with malicious auto-executable code? COMPANY IDENTITY IS KEPT CONFIDENTIAL

Yes 300 18 6.0%No 265 88.3%Don't Know 12 4.0%Refused 5 1.7%

(M4) Do you currently have a policy on the use of Java Applets or ActiveX controls in your business?Yes 300 80 26.7%No 203 67.7%Don't Know 16 5.3%Refused 1 0.3%

IF they have policies for Java and ActiveX.

(M5) What is the policy regarding Java Applets or ActiveX? READ LIST Java-Allow Trusted Java Applets 80 17 21.3%Java-Allow Untrusted Applets 14 17.5%Java-Do Not Allow Any Java Applets 26 32.5%Java-Don't Know 13 16.3%ActiveX-Allowed Signed ActiveX Controls 11 13.8%ActiveX-Allow Unsigned ActiveX Controls 7 8.8%ActiveX-Do Not Allow Any ActiveX Controls 31 38.8%ActiveX-Don't Know 20 25.0%Other (Specify) 1 1.3%None-Specific Policy 0 0.0%Don't Know About Either 5 6.3%Refused 5 6.3%

59



Appendix C: Profile of Respondents

Each site contacted for this survey was asked who in the company was the most responsible for managing virus problems on PC’s or networks in their company. Once a qualified respondent was located, these individuals were asked about the number of PCs and servers they were responsible for (in terms of viruses), their department, job title, and the primary line of business for their company.

Job TitleThere was considerable variation in the job titles of respondents, with 117 titles identified for this group of 300 respondents.15 Titles of respondents in the 1998 survey closely correspond to those in the 1997 survey, providing an informal basis for comparing the two studies16.

Table 21. Titles of Respondents

Title 1997

Percentage

1998

Percentage

Director of Data Processing/Information System 3.7% 3.7%

Director of Computer Security 5.0% 2.7%

Manager of Data Processing 1.3% 1.3%

Manager of MIS/IS 8.7% 9.3%

Manager of Computer Security 3.0% 5.0%

Systems Anaylst/Programmer 7.7% 8.7%

Support Specialist 4.7% 5.0%

Systems Manager/PC Network/LAN Manager 20.0% 20.3%

Other 46.0% 44.0%

Respondent’s DepartmentAs in the 1996 and 1997 surveys, most respondents (83%) in the 1998 survey worked in MIS/ IS departments. This distribution by department in the 1998 survey closely corresponds to that of both the 1996 and 1997 surveys, providing an informal basis for comparing the three studies17.

60



Table 22. Respondent Department, 1996, 1997, 1998

Department 1996 1997 1998

MIS / IS 87% 73% 83%

Customer Service / Support 3% <1% 0%

Data Processing 3% 4% 2%

Public Relations / Communications 2% 0% 0%

General Administration / Management 1% <1% <1%

Accounting / Finance 1% 1% <1%

Engineering 1% <1% 1%

Education / Training <1% 0% 0%

Manufacturing / Production <1% 0% 0%

Research & Development <1% <1% <1%

Personnel / Human Resources <1% <1% 0%

Sales / Marketing <1% 0% 0%

Number of PCs in the GroupRespondents were asked how many PCs they were responsible for in terms of virus knowledge, prevention, and software. It was recognized that the respondent might not have complete responsibility for these PCs, but would be able to talk in detail about the virus problems encountered on these PCs and the virus prevention software and techniques employed. Respondents who represented multi-national organizations were asked to limit their discussion to those PCs and servers in North America. These PCs were subsequently referred to as the PCs in their group. The average respondent was responsible for 1,938 PCs.18

Desktop PC Operating SystemRespondents were asked which desktop operating systems were used in their organization (group), and they were also asked to estimate the number of PCs using each operating system. A total of 581,451 PCs were represented by this survey19. Although the number of Macintosh systems was solicited at this stage of the survey, the respondent was instructed to ignore virus related issues on Macintosh systems for the remainder of the survey. The breakdown of PC operating systems is shown in Table 23. Percentage of Organizations Running Various Operating Systems.

18 This number is slightly down from the 1997 survey, in which the average respondent was responsible for 2,454 PCs.

61



Table 23. Percentage of Organizations Running Various Operating Systems, 1997-1998

Operating System 1997 1998

DOS only, ( no Windows) 45.00% 16.3%

Windows 3.1 90.70% 54.0%

Windows 95 88.70% 88.7%

Windows NT 72.70% 72.7%

OS/2 38.70% 12.7%

Macintosh 43.00% 15.0%

Unix 47.30% 14.3%

Other 4.70% 8.3%

The change between 1997 and 1998 is quite dramatic. While Windows 95 and Windows NT have held their own, all other operating systems (except "other") have been disappearing from desktops. This has consequences for the viruses we have been seeing and will be seeing: for instance, if the trend is away from DOS, then it is away from DOS viruses as well.

Figure 24. Percentage of Organizations Running Various Operating Systems, 1997-1998

62



Type of Network EmployedRespondents were asked which network operating systems were in use in their group as well as the total number of servers (both file servers and application servers) using each type of operating system. The average survey site had 40 file and application servers20; the total number of file and application servers was 12,115.21. Respondents were asked Which LAN server operating systems does your organization have running? The breakdown of network operating systems is shown in Table 24. Percent of Organizations Running Various Network Operating Systems. NetWare 3.x, LAN Server, and VINES have all shown substantial loss in installed base in this one-year period for these respondents.

Table 24. Percent of Organizations Running Various Network Operating Systems

NOS 1997 1998

Novell NetWare 3.x 61.0% 40.0%

Novell NetWare 4.x 60.7% 57.3%

Windows NT 71.0% 74.7%

IBM OS/2 LAN Server 14.3% 6.0%

IBM LAN Server 3.3% 1.3%

Banyan VINES 10.7% 5.0%

UNIX 42.3% 16.3%

Primary Line of BusinessAs shown in Table 25. Primary Line of Business, respondents represented a range of business types, with no dominant representation among Accounting, Business Services, Communications, Construction, Education, Engineering, Finance/Insurance, Government, Healthcare, Legal, Manufacturing, Non-Profit, Professional Services, Retail, and Transportation/Utilities Businesses. Distribution of respondents by line of business in the 1998 survey closely corresponded to that in the 1997 survey, providing an informal basis for comparing the two studies22. In comparison with the 1997 survey, the 1998 survey included fewer respondents from finance/insurance, and more from government.

9 This item was not included in the 1996 survey.10 This item was not included in the 1996 survey.11 This item was not included in the 1996 survey.12 A "virus disaster" was defined as "a virus encounter where a minimum of 25 PCs, diskettes, or files were infected

by the same virus at relatively the same time."14 ActiveX controls are essentially programs that download and execute on a users system. The only “security”

measure in place for ActiveX controls is Authenticode, Microsoft’s technology for protecting users from hostile programming code. Authenticode can tell the user: a) who signed the code (not necessarily the author of the code) and b) if the code has been changed since it was signed (but not who changed it or whether it was a good or bad alteration). Java applets, on the other hand, are forced to play in the Java Sandbox (another name for the Java Security model). The sandbox does not allow applets to access the user’s harddrive, execute files/programs, read/write to the file system, access network activities, etc.

63



Table 25. Primary Line of Business

Business 1997 1998

Accounting 0.7% 1.0%

Business Services 0.3% 1.7%

Communications 1.7% 2.3%

Construction 0.3% 0.0%

Education 1.7% 1.0%

Engineering 1.3% 2.7%

Finance/Insurance 13.3% 6.0%

Government 24.7% 31.0%

Healthcare 16.7% 17.7%

Legal 2.0% 1.7%

Manufacturing 11.0% 11.7%

Non-Profit 0.7% 0.3%

15 In 1998, the 117 titles included: Administration Analyst; Application Support Supervisor; Area Technology Manager; Branch Manager; Business Services Manager; Chief Information Officer; Chief Of Policy And Planning; Chief Of Technical Services; Client Response Center Manager; Computer Engineer; Computer Specialist; Computer Technical Specialist; Corp Data Security Administrator; Corporate Information Systems Security Manager; Corporate Services Office Support Officer; Data Security Administrator; Data Security Analyst; Desktop And Server Standard Analyst; Director Of Client Services; Director Of Network Operations; Director Of System Coordination; Director Of Technical Support; District Security Analyst; Enterprise LAN Administrator; Enterprise Coordinator; Field Systems Supervisor; Help Desk Supervisor; Information Center Manager; Information Protection Officer; Information Security Administrator; Information Security Analyst; Information Security Specialist; Information Security Technical Manager; Information Service Specialist; Information System Engineer; Information Systems Security Officer (ISSO) Specialist; It Consultant; It Director; It Supervisor; LAN Administration Specialist Iii; LAN Administrator; Lead Hardware Technician, Manager Desktop Services, Manager Of Applications, Manager Of Client Services In MIS; Manager Of Desktop Services; Manager Of Desktop Support; Manager Of Network And Technology; Manager Of Operations And Technical Support; Manager Of Personal Computers; Manager Of Technical Resources; Manager Of Technical Support; Micro Computer Network Administrator; Micro Computer Analyst; Micro Computer Specialist; Micro Systems Manager; Microcomputer Systems Analyst; Network Administration; Network Administrator; Network Engineer; Network Manager; Network Security Administration; Network Service Manager; Network Services Administrator; Network Specialist; Network Systems Administrator; Office Systems Consultant; Operating System Support; Operation Maintenance Manager; Operations Manager; PC Specialist; PC Specialist; PC Support Supervisor; Principal Telecommunications Engineer; Section Chief Exam Automation; Security Analyst; Security Manager; Senior Information Specialist; Senior LAN Analyst; Senior Manager Of Computer Systems; Senior Network Analyst; Senior Network Technician; Senior Operation Analyst; Senior Server Analyst; Senior Systems Technician; Senior Technical Specialist; Senior Vice President Of Information Systems; Special Network Projects Engineer; Supervisor Data Processing; Supervisor Of Desktop Services; Supervisor Of Operations; Systems Administrator; Systems Development Manager; Systems Maintenance Engineer; Team Leader; Technical Analyst; Technical Services Manager; Technical Support Manager; Technology Integrator; Technology Risk Manager; Telecommunications Supervisor; Vice President; Vice President Of Computer Information Operations; Vice President Of Systems; Vice President; Manager Of Data Security Services; VP And Chief Information Officer; Webmaster; Windows NT Administrator; & Work Station Support Manager.

64



Professional Services 0.7% 2.7%

Retail 1.3% 1.0%

Transportation/Utilities 6.3% 4.7%

Other 17.3% 14.5%

In 1997, the 182 titles included: Administrative Analyst; Assistant Director of MIS And Director Of Technical Services; Asst. VP; AT-IRM; Branch Chief Of Modeling And Simulation Development And Support; Buildings Service; Business And Professional Regulation; C4 Systems Security And Job Control; Chief Of Customer Services; Chief Of Information Services; CIO; Computer Department; Computer Security; Computer Security Officer; Computer Service Manager; Computer Services; Computer Specialist; Computer Support; Computer Support Analyst; Computer Technical Specialist; Computer Technician; Computing Services; Consultant; Consultant For Information Technology; Consultant To Network Services; Core Services Manager; Corporate Admin For Computer Security And Recovery; Corporate Affairs; Corporate Computer And Information Security; Corporate Information Systems; Corporate Security; Customer Engineer; Customer Support; Customer Support Manager; Data Base Administrator; Data Research Management; Data Security Of MIS; Dc Department Of Employment Services; Departmental Computer Specialist; Deputy Director Of Computing Services; Desktop Configuration Lead; Desktop Support; Detailed Into The AIS Security; Director Of Enterprise Systems; Director Of Purchasing And General Services; Director Of Technical Services; Disaster Recovery Analyst; Division Chief, DOIM Network Department; End User Computing Supervisor; End User Services Manager-Boston Location; Engineering Computer Services; Exchange NT Administrator; General Services; Helpdesk Supervisor; Information Analyst; Information Consultant; Information Security; Information Security Officer; Information Security Project Lead; Information Systems Group; Information Systems Security Officer; Information Systems Specialist; Information Systems Supervisor; Information Technology And Users Services; Information Technology Planning Analyst; Internal Support; Is Helpdesk Administrator; ISC 1; Laboratory Medicine; LAN Analyst; LAN Engineer Three; LAN Services; Lead Data Communications Engineer; Lead Information Security Administrator; Manager For Technical Services; Manager Of Advance Technology; Manager Of Computer Security; Manager Of Enterprise Networks; Manager Of Microcomputing Systems; Manager Of Network Operations; Manager Of Support; Manager Of Technical Network Services; Manager Of Technical Solutions; Manager Of Technology Group; Manager Of Technology Services; Manager Of The Helpdesk; Manager Of User Support; Manager; Distributed Systems; Manager; Technical Operations; Microcomputer Administration; Microcomputer Manager; Microcomputer Specialist; Microcomputer Specialist I; Microcomputer Support Manager; MTS III; Network Administration; Network Analyst; Network Department; Network Engineer; Network Management; Network Management Branch; Network Operations; Network Operations Manager; Network PC Specialist; Network Project Manager; Network Security Analyst; Network Services; Network Services Supervisor; Network Support; Office Of Information Technology; Office Of Technology Services; Operations Chief; PC Analyst; PC LAN Department; PC LAN Management; PC LAN Network Specialist II; PC Server Services; PC Services; PC Specialist; PC Support; PC Technician; Project Manager; Publishing Systems; Publishing Systems Manager; Revenue; Sales And Customer Service Technology; Section Manager; Technical Services; Security; Security Analyst; Security Department; Security Manager; Security Office; Senior Analyst; Senior Network Analyst; Senior Network Engineer; Senior Specialist; Senior Systems Programmer; Senior Systems Technician; Software Engineer; Software Specialist Tech; Sr. Consultant Information Technology; Sr. Manager; Sr. Network Analyst; Sr. Network Systems Analyst; Sr. Sales Automatic Technical Consultant; Sr. Systems Analyst; Staff Engineer; Supervisor Of LAN Development; Supervisor Of Network Infra Structure Services; Supervisor Of Network Operating Systems Support; Supervisor Of Network Operations And Logistics;

65



Appendix D: Common Viruses

Table 26. Most Commonly Reported Viruses, Jan-Feb 1998

Virus Type Synonyms Reports Wild

List

Virus

Bulletin

15_Years.B Espejo.B 1

15_Years.C Espejo 7

ABCD Boot 2 4

Accept.3773 File 1

Aircop.Standard.A Boot 1

Alfons.1344 File Iutt99 11

Anticad.4096.A File Plastique 5.12 1

Anticad.4096.Mozart File 1

AntiCMOS (family) Boot 27 8

AntiCMOS.A Boot Lenart 30

AntiCMOS.B Boot LiXi 12

AntiCMOS.C Boot 1

AntiCMOS.D Boot AntiCMOS.G 1

AntiEXE (family) Boot 23 27

AntiEXE.A Boot D3, Newbug. 35

AntiEXE.B Boot 1

Arianna.3375 File 1

Arusiek.817 File 1

Avalon 1

Supervisor Of Network Services; Supervisor Of Software Services; Supervisor Of Systems Analysts; Supervisor/Team Leader Of The Is Helpdesk; System Network Leader; System Support; Systems Coordinator; Systems Engineer; Systems Engineering; Systems Engineering Manager; Systems Project Administrator; Systems Supervisor; Team Leader; Team Leader Work Station Support Group; Technical Analyst; Technical Process Facilitator; Technical Specialist; Technical Support; Technology; Technology Group; Technology Services; Telecom Manager; Telecommunication Center; Telecommunications Manager; Vice President; Vice President Of MIS; War Gaming Simulation Center; Web Developer; Workstation Support Administrator; Worldwide Information Security Manager.

16 The correlation between the percentage of respondents with each of nine pre-designated titles (those shown in Table 21. Titles of Respondents) in the 1997 and 1998 studies is .997

17 The correlation between the percentage of respondents in each of these pre-designated departments was .999 ('96/'97, '97/'98, and '96/98).

66




List

Virus

Bulletin

Avispa.D 3

Baboon 3

Bachkhoa.3999 File DuBug.3999. 2

BackFormat.2000.A File Backform. 4

BackFormat.B File BackForm.B. 1

Bad_Sectors.3428 File 2

Bakalava I 1

Barrotes (family) File 1

Barrotes.1303 File 1

Barrotes.1310.A File Barrotos. 7

Barrotes.1463 File 1

Beah 1

Beavis.B 1

Beer.2473 File 1

Bladerunner.860 File 1

Bleah Boot 2

Bleah.C 1

Bloodhound 1

Bonus 1

Boot Boot 2

Boot-437.A 18

BootEXE.451 File BFD, BE-451 8

Bosco 1

Burglar.1150.A File GranGrave.1150. 13

Bye ByeBye. 7

Byway.A Dir2.Byway, Hnd 12

Byway.B Dir2.Byway, Hnd 3

Cascade File 1

Cascade.1701.A File 1701 14

Cascade.1704.A File 1704 8

Casper File 1

Cavaco.1470 File 1

Cawber 1

Chang 1

Changsha.3072 File Century, Changes 2

67




List

Virus

Bulletin

Chaos.1241 Faust 2

Chill 1

Chinese_Fish Boot Fish Boot 3

Civil_Defence.6672.C CDV 3.3 3

Cordobes.3334 1

Cosenza 1

Countdown.1300 File 2

CountDown.1363 File Roet.1363 2

Coup.2052 File 1

CPW.1527 File Mediera, Mierda 6

Crazy_Boot 6

Cruel.A 6

DA_Boys (family) Boot 2

DA_Boys.A Boot 6

Danish_Boot Boot 1

Dark_Avenger.1800.A File Eddie 6

Dark_Avenger.2100.SI.A File 1

Defo PeterII.Runtime 3

DelCMOS Boot 7

DelCMOS.B Boot Int7F-E9, Feint 7

Deliver.1771 File Blue Shark. 1

Delta.1128 File 1

Delta.1163 File 2

Delwin Multipartite 1

DelWin.1759 File Goblin.1759 10

Den_Zuko.2.A Boot Den Zuk 3

Desperado.1403.C File 1

Diablo_Boot Boot 7

Die_Hard.4000.A File DH2, Wix. 19

Digi.3547 File Deliver.Stealth 3

Dinamo Boot 1

Dir_II.A Creeping Death. 12

Dodgy Boot 4 13

DR&ET Dret. 1

Dual_Gtm.1643 BewareBug.1643. 1

68




List

Virus

Bulletin

Ear.Leonardo.1207 1

Eco Boot 2

Eco.B Boot Sevilla, Bleah 2

Edwin Boot 3 1

Empire.Int_10.B Boot 2

Empire.Monkey (family) Boot 35 17

Empire.Monkey.A Boot Monkey. 15

Empire.Monkey.B Boot Monkey 2. 2

EXE_Bug (family) Multipartite 2 3

EXE_Bug.A Multipartite CMOS Killer 15

EXE_Bug.C Multipartite 3

EXE_Bug.Hooker 2

Facade 1

Fairz Khobar. 3

Fat_Avenger Boot 4

Fichv.2_1 1

Filler.A DiskFiller. 2

Finnish.357 1

Finnish_Sprayer Aija. 3

Finnpoly 1

FITW 1

Flip (family) Multipartite 1

Flip.2153.A Multipartite Omicron 5

Flip.2343 Multipartite Omicron 2 3

Form (family) Boot 25 29

Form.A Boot Form 18 36

Form.C Boot 4

Form.D Boot Form May. 11

Form.G Boot 1

Form.N Boot 1

Frankenstein Frank, Sblank 1

Frodo.Frodo.A File 4096, 4K. 5

Galicia.800 Multipartite 4

Galicia.A Multipartite Telecom 5

Getto.2000 1

69




List

Virus

Bulletin

Ginger.2774.A Gingerbread 2

Glupak.857 1

GoldBug 1

Green_Caterpillar.1575.A File Find, 1575. 11

Ha!.1224 Info, Zmaina 1

Hack_Master 1

H-Andromeda.1024 Axe 1

Hare.7610 7

Hare.7750 1

Hare.7786 4

HDKiller Coruna. 1

Helloween.1376.A 1376 4

Hi.460.A Hi. 2

Hi.833 Hi. 1

Hidenowt.1741.A 3

Hippie 1

HLLC.Dosinfo.A File 1

HLLC.Dosinfo.B File 1

HLLC.Even_Beeper.B File 1

HLLP.5850.C File Weed. 2

HLLP.5850.D File 2

HLLP.Petra.7956 File 1

Holiday 1

Horror.1173 1

Ibex.A Bones 2

Immortal.2190 File 1

Infector.1022 File Alia.1023 1

Int12. Boot 1 1 1

Int40 Boot INTC. 2

Int-AA Boot 1

Invisible_Man.2926.A File 3

IR&MJ Diciembre_30_Bo 2

IVP.264.B File 1

IVP.674.B File 1

IVP.Flipper.872 File 1

70




List

Virus

Bulletin

J&M.A Jimi, Jimmy, Ha 13

Jerusalem (family) File 1

Jerusalem.1244 File 1244 2

Jerusalem.1500 File Xug.1500. 1

Jerusalem.1808.Standard File 1808, 1813. 13

Jerusalem.June_13 File 1

Jerusalem.Mummy.1364.A File Mummy 2.1 2

Jerusalem.Sunday (family) File 1

Jerusalem.Sunday.A File Sunday. 4

Jerusalem.Vespa.1045 File Viajero 1

Jerusalem.Zerotime.Australian.A File Slow 3 1

Jimi Boot 1

Johana_Boot Boot 1

Jos.1000 1

Joshi.A Boot 7

Jumper.A Boot French Boot, 2k 10

Jumper.B Boot SillyBop, 2kb 7

Junkie (family) Multipartite 5 5

Junkie.1027.A Multipartite 34

Kampana Multipartite 1

Kampana.A Multipartite AntiTel,Campana 18

Kaos4.697.A 2

Karnivali.1972 Patras. 1

Keypress.1232.A Turku, Twins. 7

Kmee 1

Krueger.2226 Freddy 2. 3

Lavot 1

Lazarus 1

Leandro TimeWarp. 10

Legozz 1

Lemming.2160 1

Level3.5987 1

Liberty.2857.A Mystic, Magic 1 2

Lilith 2

Lithium Lithi 1

71




List

Virus

Bulletin

Little_Red.1465.A Red Book, Mao 5

Lizard 1

LTS 1

Lucho 1

MacGyver.2803.A Shoo. 3

Major.1644.A File Major BBS 15

Maltese_Amoeba Amoeba.2367 1 9

Mange_Tout.1099 1099 2

Mannequin 1

Manzon.1414 11

Markt.1533 1

Maverick (family) File 1

Maverick.1536 File 5

Menem_Tocoto 1

Michelangelo (family) Boot 3

Michelangelo.A Boot 16

Ming.CLME.1528 1

MIREA.1788 Lyceum.1788 2

MISiS.A Zharinov, NIKA. 2

Mithrandir 1

Moloch Boot 3 2

Morphine.3500.B 2

MultiAni 1

Music_Bug 1

Natas (family) Multipartite 3

Natas.4744 Multipartite Satan, Sat_Bug. 28

Necros.1164 Gnose, Irish3 1

Neuroquila (family) 1

Neuroquila.A Havoc, Wedding. 4

Neuroquila.B 1

Nightfall.4518 N8Fall. 4

No_Frills.1153 Oi Dudley 3

No_Frills.843 2

Noiembrie.610 1

Nomenklatura.A Nomen 1

72




List

Virus

Bulletin

November_17th.800.A Jan1, Int83.800 2

November_17th.855.A Int83.855 4

NoWin.2576 Zielona 1

NPox.963.A Evil, Genius 1

NYB (family) Boot 23 13

NYB.A Boot B1. 26

One_Half.3544 Dis, Free Love. 34

One_Half.3570 2

Ontario.1024 1

Ornate 3

Oxana File 1

Pac Man Ghost 1

Parity_Boot (family) Boot 22

Parity_Boot.A Boot 3

Parity_Boot.B Boot Generic 1 2 29

Pasta.B Boot-446. 2

Pathogen.SMEG.0_1 SMEG. 2

Paula_Boot Boot 2

Peligro.1213 1

Peter Peter II. 7

Ph33R.1332 2

Phantom 1

Phx.1295 1

Phx.965 PUX.965 2

Pieck (family) Multipartite 1

Pieck.4444.A Multipartite Kaczor.4444 9

Ping_Pong.B Boot Bouncing-Ball 2

Pojer.1919 Brain-1919. 1

Pojer.4028 Brain-4028. 1

Poppy.1052 1

Predator 1

Predator.2448. 2448 4

QRry Query, Essex. 3

Quandary Boot Parity_Boot.Enc 10 3

Quicky.1376 Quicksilver 7

73




List

Virus

Bulletin

Quiver Qvr 2

Quox.A Stealth 2 8

Raadioga.1000 1

Raid.5831 1

Ravage B 1

Revenge_II.2816 1

Reverse.948.A Red Spider. 2

Ripper Boot Jack Ripper 3 27 17

RP.A Rhubarb, PR.b 3

Russian_Flag Slydell, Ekater 5

Sampo Boot Turbo, Wllop. 1 24 4

Sarampo.1371.B 2

Sat_Bug.Sat_Bug Satan_Bug 1

Satan 1

Satria.A July 4th. 2

Savor.1000 1

Scitzo.1329 1

Screaming_Fist.696 Fist 2, Scream 3

Scroll.1532 Kato. 1

She_Has Boot Breasts 3 2

Sibylle 1

Sierra 1

Skim.1455 1

Sleep_Walker.1266 1

SlowDog 1

Spanska.1120 File 2

Spanska.1500 File 3

Spanska.4250 File 9 1

Spectre.513 1

Stealth B or C 35

Stealth_Boot (family) Boot 1

Stealth_Boot.B Boot AMSE, NopB. 12

Stealth_Boot.C Boot AMSE, NopB2 16

Stoned (family) Boot 15 1

Stoned.Angelina Boot 1 20 1

74




List

Virus

Bulletin

Stoned.Azusa.A Boot Hong Kong 6

Stoned.Bravo Boot 2

Stoned.Bunny.A Boot 3

Stoned.Crypt Boot 1

Stoned.Daniela Boot 2

Stoned.Dinamo.C. Boot 2

Stoned.Empire Boot 4

Stoned.Flame.A Boot Stamford. 2

Stoned.June_4th.A Boot Bloody! 7

Stoned.Kiev Boot Epbr. 3

Stoned.Lzr Boot Lisa2, Whit 3

Stoned.Manitoba Boot Stonehenge. 6

Stoned.Michelangelo.D Boot 1

Stoned.No_INT.A Boot Stoned. 19

Stoned.NoInt Boot 1

Stoned.NOP Boot NOP 2

Stoned.Scale Boot BootM1. 1

Stoned.Spirit Boot 13

Stoned.Standard.B Boot New Zealand 15

Stoned.Swedish_Disaster Boot 1

Stoned.W-Boot Boot Stoned.P, Wonka 6

Suriv_1.Argentina File 1

SVC.3103.A 1

Swiss_Boot.A Swiss Army. 5

Tai-Pan.434 1

Tai-Pan.438.A Whisper 18

Tai-Pan.666.A D2D, Doom2Death 10

Tanpro.524 1

Tedy.4350 1

Tentacle.10634 File Tentacle II 6

Tentacle.1966 File 1

Tentacle.1996 File 7

Tentacle_II File 1

Tequila (family) Multipartite 1 1

Tequila.2468.A Multipartite 18

75




List

Virus

Bulletin

Teraz.4004 Flaga 1

Three_Tunes.1784.A Flip, PCBB.1784 2

TMC_Level-42 1

TMC_Level-69 TMC.5454. 2

TPVO Multipartite 1

TPVO.3783.A. TVPO, 3873. 12

Trakia.653 1

Treblinka Treb, Blin. 1

Tremor (family) 1

Tremor.4000 12

Trojan Bomb 1

Trojan Horse 2

Trojector.1463 Athens. 4

Trojector.1561 3

Tubo Boot 1

Ugly_Jo Jobi. 1

Unashamed.B 10

Unkempt.1350 1

Unsnared.814 V.814 3

Urkel Nwait 6

Uruguay File 1

Uvjan.2246 1

Uvjan.2262 1

V2P6 File 1

V-947 File

Vacsina.1206.A RCE-1206. 2

Vacsina.TP-16.A 1

Valentine.2332 1

Vampiro.1000.A 2

Vanitas.2048 1

VCL.541 1

Vicodin.1168 1

Vienna.648.Reboot.A DOS-62. 6

Vienna.Bua Big Caibua.2262 1

Vinchuca.925 2

76




List

Virus

Bulletin

VlamiX.1090 Die Lamer 3

Voyage.1134 1

V-Sign Boot Cansu, Sigalit. 1 17

W97M/Appder.A Macro 7

W97M/Appder.D Macro 1

W97M/Boom.A Macro 1

W97M/CAP.C Macro 1

W97M/CMD.A Macro W97M/NightShade 1

W97M/Concept.BB Macro 1

W97M/Kompu.A Macro 4

W97M/MDMA.D Macro 2

W97M/Niceday.A Macro 1

W97M/Temple.A Macro 1

W97M/TWNO.A Tw Macro 1

W97M/Wazzu.A Macro 4

W97M/Wazzu.C Macro 4

W97M/Wazzu.DL Macro 1

W97M/Wazzu.X Macro 1

WelcomB Boot Bupt.9146 5 18

Werewolf.1168 1

Werewolf.120 1

Werewolf.1500.B 7

Werewolf.684 Claws 1

Werewolf.693 Fangs 1

Win.Apparition.d 1

Win32.Apparation 1

Win95/Anxiety.A Win95.Anxiety 5

WM (family) Macro 13

WM/ABC Macro

WM/Actung Macro 1

WM/Alien.A Macro 4

WM/Alliance.A Macro 1

WM/Ammy.A Tw Macro 1

WM/AntiNS Macro 1

WM/Appder (family) Macro 2

77




List

Virus

Bulletin

WM/Appder.A Macro ntthnta 11

WM/Appder.B Macro 2

WM/Appder.D Macro 1

WM/Appder.G Macro 1

WM/Appder.I Macro 5

WM/Appder.L Macro 1

WM/Appder.N Macro 1

WM/Appder.O Macro 1

WM/Bandung (family) Macro 1

WM/Bandung.A Macro Concept.J 8

WM/Bandung.AX Macro 1

WM/Bandung.AY Macro 1

WM/Bandung.L Macro 1

WM/Bandung.O Macro 1

WM/Boom.A De Macro 4

WM/Buero.A De Macro Buro:De 4

WM/CAP (family) Macro 52 97

WM/CAP.A Macro 1 29

WM/CAP.D Macro 1

WM/Cebu.A Macro 1

WM/Clock.A De Macro 1

WM/Colors (family) Macro 1 1

WM/Colors.A Macro Colours 8

WM/Colors.AB Macro 1

WM/Colors.B Macro 2

WM/Colors.G Macro 1

WM/Concept (family) Macro 65 29

WM/Concept.A Macro Prank Macro 39

WM/Concept.B Macro 1

WM/Concept.BB Macro 2

WM/Concept.BC Macro 1

WM/Concept.BK Macro 1

WM/Concept.BS Macro 1

WM/Concept.CC Macro 1

WM/Concept.F Macro Parasite.A 5

78




List

Virus

Bulletin

WM/Concept.J Macro Parisite.B 2

WM/Concept.K Macro 1

WM/Concept.Z Macro 4

WM/CountTen Macro Count10 1 1

WM/Date.B Macro 2

WM/Demon (family) Macro 1 1

WM/Demon.A Macro 5

WM/Divina.A Macro Infeczione. 5

WM/Divina.C Macro 1

WM/Divina.D Macro 1

WM/Divina.K Macro 1

WM/Divina.N Macro 1

WM/DMV.E Macro 1

WM/Doggie Macro 1

WM/Dub Macro 1

WM/DZT (family) Macro 1 3

WM/DZT.A Macro 7

WM/DZT.B Macro 1

WM/Epidemic.A Tw Macro Epidemic. 1

WM/Goldfish (family) Macro 1 5

WM/Goldfish.A Macro 2

WM/Goldfish.C Macro 1

WM/Goldfish.E Macro 1

WM/Goodnight (family) Macro 1 2

WM/Goodnight.C Macro 1

WM/Goodnight.D Macro 1

WM/Goodnight.F Macro 1

WM/Goodnight.G Macro 1

WM/Goodnight.H Macro 1

WM/Goodnight.I Macro 1

WM/Goodnight.J Macro 1

WM/Goodnight.K Macro 1

WM/Goodtimes ??? Macro 1

WM/Guess.A Tw Macro Look. 1

WM/Helper (family) Macro 1

79




List

Virus

Bulletin

WM/Helper.A Macro 6

WM/Helper.B Macro 5

WM/HIAC.A Macro 3

WM/Hot.A Macro Hot 2

WM/Hybrid.A Macro 5

WM/Hybrid.K Macro 1

WM/Imposter (family) Macro 2 5

WM/Imposter.A Macro Imposter. 7

WM/Imposter.E Macro 3

WM/Inexist.A Macro 1

WM/Influenza.B Macro 1

WM/Irish.A Macro Irish 7

WM/Johnny (family) Macro 6 4

WM/Johnny.A Macro Go Jonny 9

WM/Johnny.A1 Macro 2

WM/Johnny.B Macro 1 1

WM/KillLuf.A Macro 1

WM/Komcon.A Macro 1

WM/Kompu (family) Macro 2

WM/Kompu.A Macro 7

WM/Kompu.E Macro 1

WM/Kompu.G Macro 1

WM/Lunch (family) Macro 2 3

WM/Lunch.A Macro 1

WM/Lunch.B Macro 7

WM/Lunch.F Macro 1

WM/Lunch.G Macro 1

WM/Ma Macro 1

WM/Maddog.A Macro 1

WM/MDMA (family) Macro 3 1

WM/MDMA.A Macro StickyKeys. 18

WM/MDMA.AG Macro 1

WM/MDMA.AH Macro 1

WM/MDMA.AI Macro 1

WM/MDMA.AK Macro 1

80




List

Virus

Bulletin

WM/MDMA.C Macro 2

WM/MDMA.D Macro 5

WM/MDMA.E Macro 1

WM/MDMA.F Macro 1

WM/Mtf Macro 2

WM/Muck (family) Macro 1 1

WM/Muck.D Macro 1

WM/Muck.F Macro 1

WM/Muck.P Macro 1

WM/Muck.R Macro 1

WM/Muck.S Macro 1

WM/Munch Macro 1

WM/NF (family) Macro 1

WM/NF.A Macro 2

WM/NiceDay (family) Macro 2 4

WM/NiceDay.A Macro 9

WM/Niceday.O Macro 1

WM/Niknat.A Macro 1

WM/Ninja (family) Macro 1

WM/Ninja.A Macro 1

WM/NOP (family) Macro 1

WM/NOP.A De Macro Nop 7

WM/NOP.F De Macro 3

WM/Npad (family) Macro 10 15

WM/Npad.A Macro Jakarta 29

WM/Npad.BR Macro 1

WM/Npad.D Macro 3

WM/Npad.DP Macro 1

WM/Npad.EQ Macro 1

WM/Nuclear.A Macro 1

WM/Nuclear.B Macro Nuclear.B 5

WM/Nuclear.V Macro 1

WM/Oblom.H Macro 1

WM/Paycheck (family) Macro 1 5

WM/Paycheck.A Macro 4

81




List

Virus

Bulletin

WM/Pesan.A Macro 1

WM/Pesan.B Macro 4

WM/Pesan.C Macro 1

WM/Rapi (family) Macro 1

WM/Rapi.A Macro 6

WM/Razer Macro 2

WM/Safwan.A Macro 3

WM/Schumann (family) Macro 5

WM/Schumann.A Macro 3

WM/Schumann.C Macro 3

WM/Setmd.A Tw Macro 1

WM/Setmd.B Tw Macro 1

WM/Sharefun.A Macro 3

WM/ShowOff (family) Macro 4

WM/ShowOff.A Macro 5

WM/ShowOff.C Macro 5

WM/Showoff.CB Macro 1

WM/Showoff.CG Macro 1

WM/Small.A Macro 1

WM/Surabaya.A Macro 5

WM/Switcher (family) Macro 1

WM/Switcher.A Macro 3

WM/Swlabs (family) Macro 3 2

WM/Swlabs.B Macro 2

WM/Swlabs.E Macro 1

WM/Swlabs.G Macro 1 2

WM/Swlabs.I Macro 1

WM/Tao.A Macro 1

WM/Temple (family) Macro 2 8

WM/Temple.A Macro 2

WM/Temple.F Macro 1

WM/Temple.G Macro 1

WM/Theatre.A Tw Macro 1

WM/Theatre.B Tw Macro 1

WM/Timid Macro 1

82




List

Virus

Bulletin

WM/Toten.A Macro 1

WM/Toten.B Macro 1

WM/Tunguska.A It Macro 1

WM/TWNO (family) Macro 1

WM/TWNO.A Tw Macro Taiwan No. 1 3

WM/TWNO.AB Macro 1

WM/Veneno.A Macro 1

WM/Vicinity.A Macro 1

WM/Vicinity.C Macro 1

WM/Wazzu (family) Macro 44 10

WM/Wazzu.A Macro Wazzu 28

WM/Wazzu.AV Macro 1

WM/Wazzu.AW Macro 1

WM/Wazzu.BE Macro 1

WM/Wazzu.C Macro 14

WM/Wazzu.CA Macro 1

WM/Wazzu.CL Macro 2

WM/Wazzu.DG Macro 1

WM/Wazzu.DO Macro 1

WM/Wazzu.E Macro 2

WM/Wazzu.F Macro Bosco 4

WM/Wazzu.H Macro Microsloth. 1

WM/Wazzu.O Macro 1

WM/Wazzu.P Macro 4

WM/Wazzu.Q Macro 1

WM/Wazzu.X Macro 3

WM/Weather.A Tw Macro Fish. 1

WM/Yaka.A Macro 1

WM/ZMB.A De Macro 1

WM/ZMB.B Macro 1

WM/Zoolog.A Macro 1

Wwp 1

WXYC.A 3

X97M/Laroux.A Macro 12

X97M/Laroux.AA Macro 1

83




List

Virus

Bulletin

X97M/Laroux.D Macro 1

X97M/Laroux.E Macro 1

Xeram.1664 1

XM (family) Macro 1

XM/Laroux (family) Macro 32 16

XM/Laroux.A Macro 19

XM/Laroux.AA Macro 1

XM/Laroux.AD Macro 1

XM/Laroux.AE Macro 1

XM/Laroux.AF Macro 1

XM/Laroux.AG Macro 1

XM/Laroux.AI Macro 1

XM/Laroux.AL Macro 1

XM/Laroux.AP Macro 1

XM/Laroux.AT Macro 1

XM/Laroux.AU Macro 1

XM/Laroux.D Macro 5

XM/Laroux.E Macro 6

XM/Laroux.G Macro 2

XM/Laroux.L Macro 1

XM/Nocal.A Macro 1

Xuxa.1984 1

Yankee Doodle.TP-39.A File 1

Yankee Doodle.TP-44.A File RCE-2885. 14

Yankee Doodle.XPEH.4928 File Micropox. 3

Yesmile 1

Zarma 1

Zipper 1

84



Appendix E: Survey Statistics

Calls Disposition

Total Hours 180

Total Calls 3146

Completed 300

Busy 1593

No Answer/Unobtainable 258

Unqualified Location 57

Call Back 141

Refusals 395

Other 702

Calls Per Completed Survey 10.49

Completed Surveys Per Hour 0.6

85



Appendix F: Glossary

The following are common terms used in discussions of anti-virus software:

Background Scanning. Automatic scanning of files as they are created, opened, closed, or executed. Performed by memory resident anti-virus software. Synonyms: online, automatic, background, resident, active.

Behavior Blocking. A set of procedures that are tuned to detect virus-like behavior, and prevent that behavior (and/or warn the user about it) when it occurs. Some behaviors that should normally be blocked in a machine include formatting tracks, writing to the master boot record or boot record, and writing directly to sectors. Synonyms: “dynamic code analysis“, “behavioral analysis.”

Boot Record: The program recorded in the Boot Sector. All floppies have a boot record, whether or not the disk is actually bootable. Whenever you start or reset your computer with a disk in the A: drive, DOS reads the boot record from that diskette. If a boot virus has infected the floppy, the computer first reads the virus code in (because the boot virus placed its code in the boot sector), then jumps to whatever sector the virus tells the drive to read, where the virus has stored the original boot record.

Boot Sector: The first logical sector of a drive. On a floppy disk, this is located on side 0 (the top), cylinder 0 (the outside), sector 1 (the first sector.) On a hard disk, it is the first sector of a logical drive, such as C: or D:. This sector contains the Boot Record, which is created by FORMAT (with or without the /S switch.) The sector can also be created by the DOS SYS command. Any drive that has been formatted contains a boot sector.

Boot Sector Infector: Every logical drive, both hard disk and floppy, contains a boot sector. This is true even of disks that are not bootable. This boot sector contains specific information relating to the formatting of the disk, the data stored there and also contains a small program called the boot program (which loads the DOS system files). The boot program displays the familiar “Non-system Disk or Disk Error” message if the DOS system files are not present. It is also the program that gets infected by viruses. You get a boot sector virus by leaving an infected diskette in a drive and rebooting the machine. When the program in the boot sector is read and executed, the virus goes into memory and infects your hard drive. Remember, because every disk has a boot sector, it is possible (and common) to infect a machine from a data disk.

Boot virus: A virus whose code is called during the phase of booting the computer in which the master boot sector and boot sector code is read and executed. Such viruses either place their starting code or a jump to their code in the boot sector of floppies, and either the boot sector or master boot sector of hard disks. Most boot viruses infect by moving the original code of the master boot sector or boot sector to another location, such as slack space, and then placing their own code in the master boot sector or boot sector. Boot viruses which also infect files are sometimes known as multipartite viruses. All boot viruses infect the boot sector of floppy disks; some of them, such as Form, also infect the boot sector of hard disks. Other boot viruses infect the master boot sector of hard disks.

86



Companion virus: A program that attaches to the operating system, rather than files or sectors. In DOS, when you run a file named “ABC”, the rule is that ABC.COM would execute before ABC.EXE. A companion virus places its code in a COM file whose first name matches the name of an existing EXE. You run “ABC”, and the actual sequence is “ABC.COM”, “ABC.EXE”

Encrypted virus: A virus whose code begins with a decryption algorithm, and continues with the scrambled or encrypted code of the remainder of the virus. When several identical files are infected with the same virus, each will share a brief identical decryption algorithm, but beyond that, each copy may appear different. A scan string could be used to search for the decryption algorithm. Cf. Polymorphic.

File virus: Viruses that attach themselves to (or replace) .COM and .EXE files, although in some cases they can infect files with extensions .SYS, .DRV, .BIN, .OVL, OVR, etc. The most common file viruses are resident viruses, going into memory at the time the first copy is run, and taking clandestine control of the computer. Such viruses commonly infect additional programs as you run them. But there are many non-resident viruses too, which simply infect one or more files whenever an infected file is run.

In the Wild virus: A term that indicates that a virus has been found in several organizations somewhere in the world. It contrasts the virus with one which has only been reported by researchers. Despite popular hype, most viruses are “in the wild“ and differ only in prevalence. Some are new and therefore extremely rare. Others are old, but do not spread well, and are therefore extremely rare. Joe Wells maintains a list of those he knows of to be “in the wild”.

Macro virus: A virus which consists of instructions in Word Basic or some other macro language, and resides in documents. While we do not think of documents as capable of being infected, any application which supports macros that automatically execute is a potential platform for macro viruses. Because documents are now even more widely shared than diskettes (through networks and the Internet), document-based viruses are likely to dominate our future.

Master Boot Record: The 340-byte program located in the Master Boot Sector. This program begins the boot process. It reads the partition table, determines what partition will be booted from (normally C:), and transfers control to the program stored in the first sector of that partition, which is the Boot Sector. The Master Boot Record is often called the MBR, and often called the “master boot sector” or “partition table.” The master boot record is created when FDISK or FDISK /MBR is run.

Master Boot Sector: The first sector of the hard disk to be read. This sector is located on the top side (“side 0”), outside cylinder (“cylinder 0”), first sector (“sector 1.”) The sector contains the Master Boot Record.

Master Boot Sector Virus: A virus that infects the master boot sector, such as NYB, spreads through the boot sector of floppy disks. If you boot or attempt to boot your system with an infected floppy disk, NYB loads into memory and then writes itself to the master boot sector on the hard drive. If the disk is not bootable, you see the DOS error message “Non-system disk or disk error...” If the disk is bootable, the system boots to the A: prompt. Either way the system is infected, and there is no indication on the screen that this has happened. Once the hard drive is infected, NYB loads into memory each time the system

87



is booted. The virus stays in memory, waiting for DOS to access a floppy disk. It then infects the boot record on each floppy DOS accesses.

On-Demand Scanning: Synonyms: offline, manual scanning, foreground, non-resident scanning, scanning.

Polymorphic virus: A polymorphic virus is one which produces varied (yet fully operational) copies of itself, in the hope that virus scanners will not be able to detect all instances of the virus.

Remove: To remove or clean a virus means to eliminate all traces of it, returning the infected item to its original, uninfected state. Nearly all viruses are theoretically removable by reversing the process by which they infected. However, any virus that damages the item it has infected by destroying one or more bytes is not removable, and the item needs to be deleted and restored from backups in order for the system to be restored to its original, uninfected state. There is a gap between theory and practice. In practice, a removable virus is one which the anti-virus product knows how to remove. The term “clean” is sometimes used for remove, and sometimes used to refer to the destruction of viruses by any method. Thus deleting a file which is infected might be considered cleaning the system. We do not regard this as an appropriate use of the term “clean”.

Resident: A property of most common computer viruses and all background scanners and behavior blockers. A resident virus is one which loads into memory, hooks one or more interrupts, and remains inactive in memory until some trigger event. When the trigger event occurs, the virus becomes active, either infecting something or causing some other consequence (such as displaying something on the screen.) All boot viruses are resident viruses, as are the most common file viruses. Macro viruses are non-resident viruses.

Stealth virus: A virus that uses any of a variety of techniques to make itself more difficult to detect. A stealth boot virus will typically intercept attempts to view the sector in which it resides, and instead show the viewing program a copy of the sector as it looked prior to infection. An active stealth file virus will typically not reveal any size increase in infected files when you issue the “DIR” command. Stealth viruses must be “active” or running in order to exhibit their stealth qualities.

Trojan Horse: A program which does something unwanted and unexpected by a user, but intended by the programmer. Trojans do not make copies of themselves, as do viruses, and seem to be more likely to cause damage than viruses.

Worm: Similar to a virus in that it makes copies of itself, but different in that it need not attach to particular files or sectors at all. Once a worm is executed, it seeks other systems - rather than parts of systems – to infect, then copies its code to them.

Zoo virus: A virus which is rarely reported anywhere in the world, but which exists in the collections of researchers. A zoo virus has some “escaping” virus collections, and infecting user machines. Its prevalence could increase to the point that it was considered “in the wild.”

88



Index

11099...................................................................69

1244...................................................................68

15_Years.B........................................................64

15_Years.C........................................................64

1575...................................................................67

1701...................................................................65

1704...................................................................65

1808...................................................................68

1813...................................................................68

22448...................................................................71

33873...................................................................73

44096...................................................................67

4K 67

AABCD...............................................................64

Accept.3773......................................................64

Aija67

Aircop.Standard.A............................................64

Alfons.1344.......................................................64

Alia.1023...........................................................68

Amoeba.2367....................................................69

AMSE...............................................................72

Anticad.4096.A.................................................64

Anticad.4096.Mozart........................................64

AntiCMOS (family)..........................................64

AntiCMOS.A....................................................64

AntiCMOS.B....................................................64

AntiCMOS.C....................................................64

AntiCMOS.D....................................................64

AntiCMOS.G....................................................64

AntiEXE (family)..............................................64

AntiEXE.A........................................................64

AntiEXE.B........................................................64

AntiTel..............................................................69

Anti-Virus Methods Employed.........................24

Appendix A: Questionnaire..............................36

Appendix B: Tabulations by Question..............49

Arianna.3375.....................................................64

Arusiek.817.......................................................64

Athens...............................................................74

Avalon...............................................................64

Avispa.D...........................................................64

Axe 67

BB1. 70

Baboon..............................................................64

Bachkhoa.3999..................................................64

Backform...........................................................64

BackForm.B......................................................64

89



BackFormat.2000.A..........................................64

BackFormat.B...................................................64

Background Scanning

defined.......................................................84

Bad_Sectors.3428.............................................64

Bakalava I.........................................................64

Barrotes (family)...............................................64

Barrotes.1303....................................................64

Barrotes.1310.A................................................64

Barrotes.1463....................................................65

Barrotos.............................................................64

BE-451..............................................................65

Beah..................................................................65

Beavis.B............................................................65

Beer.2473..........................................................65

Behavior Blocking

defined.......................................................84

behavioral analysis............................................84

BewareBug.1643...............................................66

BFD...................................................................65

Biases..................................................................8

Big Caibua.2262...............................................74

Bladerunner.860................................................65

Bleah...........................................................65, 66

Bleah.C..............................................................65

Blin73

Bloodhound.......................................................65

Bloody!.............................................................72

Blue Shark.........................................................66

Bones.................................................................68

Bonus................................................................65

Boot Record

defined.......................................................84

Boot Sector

defined.......................................................84

Boot Sector Infector

defined.......................................................84

Boot virus

defined.......................................................84

Boot-437.A........................................................65

Boot-446...........................................................71

BootEXE.451....................................................65

BootM1.............................................................73

Bosco...........................................................65, 81

Bouncing-Ball...................................................71

Brain-1919........................................................71

Brain-4028........................................................71

Breasts...............................................................72

Bupt.9146..........................................................75

Burglar.1150.A.................................................65

Bye 65

ByeBye..............................................................65

Byway.A...........................................................65

Byway.B............................................................65

CCampana...........................................................69

Cansu.................................................................74

Cascade.............................................................65

Cascade.1701.A................................................65

Cascade.1704.A................................................65

Casper...............................................................65

Cavaco.1470......................................................65

Cawber..............................................................65

CDV 3.3............................................................65

Century..............................................................65

Chang................................................................65

Changes.............................................................65

Changes in Virus Distribution Mechanisms.....17

Changing Dominance of Most Prevalent Viruses, 1995-1998..................................................14

Changsha.3072..................................................65

90



Chaos.1241........................................................65

Chill...................................................................65

Chinese_Fish.....................................................65

Civil_Defence.6672.C.......................................65

Claws.................................................................75

CMOS Killer.....................................................66

Colours..............................................................76

Companion virus

defined.......................................................85

Concept.J...........................................................75

Cordobes.3334..................................................65

Coruna...............................................................68

Cosenza.............................................................65

Costs Per Incident.............................................22

Count10.............................................................76

Countdown.1300...............................................65

CountDown.1363..............................................65

Coup.2052.........................................................65

CPW.1527.........................................................65

Crazy_Boot.......................................................66

Creeping Death.................................................66

Cruel.A..............................................................66

DD2D...................................................................73

D3 64

DA_Boys (family)............................................66

DA_Boys.A.......................................................66

Danish_Boot.....................................................66

Dark_Avenger.1800.A......................................66

Dark_Avenger.2100.SI.A.................................66

Defo...................................................................66

DelCMOS.........................................................66

DelCMOS.B......................................................66

Deliver.1771......................................................66

Deliver.Stealth..................................................66

Delta.1128.........................................................66

Delta.1163.........................................................66

Delwin...............................................................66

DelWin.1759.....................................................66

Den Zuk............................................................66

Den_Zuko.2.A...................................................66

Department........................................................60

Desktop PC Operating System..........................61

Desperado.1403.C.............................................66

DH2...................................................................66

Diablo_Boot......................................................66

Diciembre_30_Bo.............................................68

Die Lamer.........................................................74

Die_Hard.4000.A..............................................66

Digi.3547..........................................................66

Dinamo........................................................66, 72

Dir_II.A.............................................................66

Dir2.Byway.......................................................65

Dis 70

DiskFiller..........................................................67

Dodgy................................................................66

Doom2Death.....................................................73

DOS-62.............................................................74

DR&ET.............................................................66

Dret66

Dual_Gtm.1643.................................................66

DuBug.3999......................................................64

dynamic code analysis......................................84

EEar.Leonardo.1207............................................66

Eco 66

Eco.B.................................................................66

Eddie.................................................................66

Edwin................................................................66

91



Effectiveness of Desktop Protection Approaches...................................................................25

Ekater................................................................71

E-Mail Gateways..............................................29

Empire.Int_10.B................................................66

Empire.Monkey (family)..................................66

Empire.Monkey.A.............................................66

Empire.Monkey.B.............................................66

Encrypted virus

defined.......................................................85

End Notes........................................................103

Epbr...................................................................72

Epidemic...........................................................77

Espejo................................................................64

Espejo.B............................................................64

Essex.................................................................71

Evil Genius........................................................70

EXE_Bug (family)............................................66

EXE_Bug.A......................................................66

EXE_Bug.C......................................................67

EXE_Bug.Hooker.............................................67

FFacade...............................................................67

Fairz..................................................................67

Fangs.................................................................75

Fat_Avenger......................................................67

Faust..................................................................65

Feint..................................................................66

Fichv.2_1..........................................................67

File virus

defined.......................................................85

Filler.A..............................................................67

Find...................................................................67

Findings...............................................................9

Finnish.357........................................................67

Finnish_Sprayer................................................67

Finnpoly............................................................67

Fish65, 81

Fish Boot...........................................................65

Fist 2..................................................................72

FITW.................................................................67

Flaga..................................................................73

Flip 67, 73

Flip (family)......................................................67

Flip.2153.A.......................................................67

Flip.2343...........................................................67

Form (family)....................................................67

Form 18.............................................................67

Form May..........................................................67

Form.A..............................................................67

Form.C..............................................................67

Form.D..............................................................67

Form.G..............................................................67

Form.N..............................................................67

Frank.................................................................67

Frankenstein......................................................67

Freddy 2............................................................69

Free Love..........................................................70

French Boot.......................................................69

Frodo.Frodo.A...................................................67

GGalicia.800........................................................67

Galicia.A...........................................................67

Generic 1...........................................................71

Getto.2000.........................................................67

Ginger.2774.A...................................................67

Gingerbread.......................................................67

Glupak.857........................................................67

Gnose................................................................70

Go Jonny...........................................................78

92



Goblin.1759......................................................66

GoldBug............................................................67

GranGrave.1150................................................65

Green_Caterpillar.1575.A.................................67

Growth in Prevalence, by Type of Virus, 1997-1998...........................................................13

HHa 67, 68

Ha!.1224............................................................67

Hack_Master.....................................................67

H-Andromeda.1024..........................................67

Hare.7610..........................................................67

Hare.7750..........................................................67

Hare.7786..........................................................67

Has Malicious Active Code Breached Security?...................................................................32

Havoc................................................................70

HDKiller...........................................................68

Helloween.1376.A............................................68

Hi 68

Hi.460.A............................................................68

Hi.833................................................................68

Hidenowt.1741.A..............................................68

Hippie................................................................68

HLLC.Dosinfo.A..............................................68

HLLC.Dosinfo.B...............................................68

HLLC.Even_Beeper.B......................................68

HLLP.5850.C....................................................68

HLLP.5850.D....................................................68

HLLP.Petra.7956..............................................68

Hnd65

Holiday..............................................................68

Hong Kong........................................................72

Horror.1173.......................................................68

Hot 77

How Common Are Virus Infections?.................9

How High a Threat Posed by Java, ActiveX, etc.?............................................................31

How Important is the Internet to Employee Work?........................................................30

How is "Commonness" Changing?...................12

How Many PCs Were Affected by Incident?. . .21

IIbex.A................................................................68

Immortal.2190...................................................68

Imposter............................................................77

in the wild...................................................85, 87

In the Wild virus

defined.......................................................85

Infector.1022.....................................................68

Infeczione..........................................................76

Info 67

Int12..................................................................68

Int40..................................................................68

Int7F-E9............................................................66

Int83.800...........................................................70

Int-AA...............................................................68

INTC.................................................................68

Invisible_Man.2926.A......................................68

IR&MJ..............................................................68

Irish...................................................................78

Irish3.................................................................70

Iutt99.................................................................64

IVP.264.B.........................................................68

IVP.674.B.........................................................68

IVP.Flipper.872.................................................68

JJ&M.A..............................................................68

Jack Ripper........................................................71

93



Jakarta...............................................................79

Jan1...................................................................70

Jerusalem (family)............................................68

Jerusalem.1244..................................................68

Jerusalem.1500..................................................68

Jerusalem.1808.Standard..................................68

Jerusalem.June_13............................................68

Jerusalem.Mummy.1364.A...............................68

Jerusalem.Sunday (family)...............................68

Jerusalem.Sunday.A..........................................68

Jerusalem.Vespa.1045.......................................68

Jerusalem.Zerotime.Australian.A.....................69

Jimi68, 69

Jimmy................................................................68

Job Title............................................................60

Jobi 74

Johana_Boot......................................................69

Jos.1000............................................................69

Joshi.A..............................................................69

July 4th..............................................................72

Jumper.A...........................................................69

Jumper.B...........................................................69

Junkie (family)..................................................69

Junkie.1027.A...................................................69

KKaczor.4444......................................................71

Kampana...........................................................69

Kampana.A.......................................................69

Kaos4.697.A.....................................................69

Karnivali.1972..................................................69

Kato...................................................................72

Keypress.1232.A...............................................69

Khobar...............................................................67

Kmee.................................................................69

Krueger.2226....................................................69

LLavot.................................................................69

Lazarus..............................................................69

Leandro.............................................................69

Legozz...............................................................69

Lemming.2160..................................................69

Lenart................................................................64

Level3.5987......................................................69

Liberty.2857.A..................................................69

Lilith..................................................................69

Line of Business................................................63

Lisa2..................................................................73

Lithi...................................................................69

Lithium..............................................................69

Little_Red.1465.A.............................................69

LiXi...................................................................64

Lizard................................................................69

Look..................................................................77

LTS69

Lucho................................................................69

Lyceum.1788....................................................70

MMacGyver.2803.A.............................................69

Macro virus

defined.......................................................85

Magic................................................................69

Major BBS........................................................69

Major.1644.A....................................................69

Maltese_Amoeba..............................................69

Mange_Tout.1099.............................................69

Mannequin........................................................69

Manzon.1414....................................................69

Mao...................................................................69

Markt.1533........................................................70

94



Master Boot Record

defined.......................................................85

Master Boot Sector

defined.......................................................85

Master Boot Sector Virus

defined.......................................................85

Maverick (family).............................................70

Maverick.1536..................................................70

Mediera.............................................................65

Menem_Tocoto.................................................70

Michelangelo (family)......................................70

Michelangelo.A.................................................70

Micropox...........................................................82

Microsloth.........................................................81

Mierda...............................................................65

Ming.CLME.1528.............................................70

MIREA.1788.....................................................70

MISiS.A............................................................70

Mithrandir.........................................................70

Moloch..............................................................70

Monkey.................................................11, 12, 66

Morphine.3500.B..............................................70

MultiAni............................................................70

Mummy 2.1.......................................................68

Music_Bug........................................................70

Mystic...............................................................69

NN8Fall...............................................................70

Natas (family)...................................................70

Natas.4744........................................................70

Necros.1164......................................................70

Neuroquila (family)..........................................70

Neuroquila.A.....................................................70

Neuroquila.B.....................................................70

New Zealand.....................................................73

Newbug.............................................................64

Nightfall.4518...................................................70

NIKA.................................................................70

No_Frills.1153..................................................70

No_Frills.843....................................................70

Noiembrie.610..................................................70

Nomen...............................................................70

Nomenklatura.A................................................70

Nop79

NOP.............................................................73, 79

NopB.................................................................72

NopB2...............................................................72

November_17th.800.A......................................70

November_17th.855.A......................................70

NoWin.2576......................................................70

NPox.963.A.......................................................70

ntthnta...............................................................75

Nuclear.B..........................................................79

Number of PCs in the Group............................61

Nwait.................................................................74

NYB (family)....................................................70

NYB.A..............................................................70

OObjectives...........................................................7

Oi Dudley..........................................................70

Omicron............................................................67

On-Demand Scanning

defined.......................................................86

One_Half.3544..................................................70

One_Half.3570..................................................70

Ontario.1024.....................................................70

Operating System..............................................61

Ornate................................................................70

Overall Level of Usage.....................................23

Oxana................................................................71

95



PPac Man Ghost..................................................71

Parasite.A..........................................................76

Parisite.B...........................................................76

Parity_Boot (family).........................................71

Parity_Boot.A...................................................71

Parity_Boot.B....................................................71

Parity_Boot.Enc................................................71

Pasta.B..............................................................71

Pathogen.SMEG.0_1.........................................71

Patras.................................................................69

Paula_Boot........................................................71

PCBB.1784.......................................................73

Peligro.1213......................................................71

Peter..................................................................71

PeterII.Runtime.................................................66

Ph33R.1332.......................................................71

Phantom............................................................71

Phx.1295...........................................................71

Phx.965.............................................................71

Pieck (family)....................................................71

Pieck.4444.A.....................................................71

Ping_Pong.B.....................................................71

Plastique 5.12....................................................64

Pojer.1919.........................................................71

Pojer.4028.........................................................71

Polymorphic virus

defined.......................................................86

Poppy.1052.......................................................71

PR.b...................................................................71

Prank Macro......................................................76

Predator.............................................................71

Previous work.....................................................8

Primary Line of Business..................................63

Profile of Respondents......................................60

Proxy Servers and Firewalls.............................29

PUX.965............................................................71

QQRry..................................................................71

Quandary...........................................................71

Query.................................................................71

Quicksilver........................................................71

Quicky.1376......................................................71

Quiver...............................................................71

Quox.A..............................................................71

Qvr 71

RRaadioga.1000..................................................71

Raid.5831..........................................................71

Ravage B...........................................................71

RCE-1206.........................................................74

RCE-2885.........................................................82

Recent Changes in Reported Prevalence..........12

Red Book..........................................................69

Red Spider.........................................................71

Remove

defined.......................................................86

Research Methodology.......................................7

Resident

defined.......................................................86

Respondent’s Department.................................60

Revenge_II.2816...............................................71

Reverse.948.A...................................................71

Rhubarb.............................................................71

Ripper..........................................................12, 71

Roet.1363..........................................................65

RP.A..................................................................71

Russian_Flag.....................................................71

96



SSampo...............................................................72

Sarampo.1371.B................................................72

Sat_Bug.......................................................70, 72

Sat_Bug.Sat_Bug..............................................72

Satan............................................................70, 72

Satan_Bug.........................................................72

Satria.A.............................................................72

Savor.1000........................................................72

Sblank...............................................................67

Scitzo.1329........................................................72

Scream...............................................................72

Screaming_Fist.696..........................................72

Scroll.1532........................................................72

Server Protection Methods................................26

Sevilla...............................................................66

She_Has............................................................72

Shoo..................................................................69

Sibylle...............................................................72

Sierra.................................................................72

Sigalit................................................................74

SillyBop............................................................69

Skim.1455.........................................................72

Sleep_Walker.1266...........................................72

Slow..................................................................69

SlowDog...........................................................72

Slydell...............................................................71

SMEG...............................................................71

Spanska.1120....................................................72

Spanska.1500....................................................72

Spanska.4250....................................................72

Spectre.513........................................................72

Stamford............................................................72

Stealth 2............................................................71

Stealth B or C........................................11, 12, 72

Stealth virus

defined.......................................................86

Stealth_Boot (family)........................................72

Stealth_Boot.B..................................................72

Stealth_Boot.C..................................................72

StickyKeys........................................................78

Stoned.........................................................72, 73

Stoned (family).................................................72

Stoned.Angelina................................................72

Stoned.Azusa.A.................................................72

Stoned.Bravo.....................................................72

Stoned.Bunny.A................................................72

Stoned.Crypt.....................................................72

Stoned.Daniela..................................................72

Stoned.Empire...................................................72

Stoned.Flame.A.................................................72

Stoned.June_4th.A............................................72

Stoned.Kiev.......................................................72

Stoned.Lzr.........................................................73

Stoned.Manitoba...............................................73

Stoned.Michelangelo.D.....................................73

Stoned.No_INT.A.............................................73

Stoned.NoInt.....................................................73

Stoned.NOP......................................................73

Stoned.P............................................................73

Stoned.Scale......................................................73

Stoned.Spirit......................................................73

Stoned.Standard.B.............................................73

Stoned.Swedish_Disaster..................................73

Stoned.W-Boot..................................................73

Stonehenge........................................................73

Sunday...............................................................68

Suriv_1.Argentina.............................................73

SVC.3103.A......................................................73

Swiss Army.......................................................73

Swiss_Boot.A....................................................73

97



TTabulations........................................................49

Tabulations by Question...................................49

Tai-Pan.434.......................................................73

Tai-Pan.438.A...................................................73

Tai-Pan.666.A...................................................73

Taiwan No. 1.....................................................80

Tanpro.524........................................................73

Tedy.4350.........................................................73

Telecom.............................................................67

Tentacle II.........................................................73

Tentacle.10634..................................................73

Tentacle.1966....................................................73

Tentacle.1996....................................................73

Tentacle_II........................................................73

Tequila (family)................................................73

Tequila.2468.A.................................................73

Teraz.4004........................................................73

The Internet.......................................................30

Three_Tunes.1784.A.........................................73

TimeWarp.........................................................69

TMC.5454.........................................................73

TMC_Level-42.................................................73

TMC_Level-69.................................................73

TPVO................................................................73

Trakia.653.........................................................73

Treb...................................................................73

Treblinka...........................................................73

Tremor (family)................................................73

Tremor.4000......................................................73

Trojan Bomb.....................................................74

Trojan Horse.....................................................74

defined.......................................................86

Trojector.1463...................................................74

Trojector.1561...................................................74

Tubo..................................................................74

Turbo.................................................................72

Turku.................................................................69

TVPO................................................................73

Twins.................................................................69

Type of Network Employed..............................62

Type of Virus and Point of Entry......................18

UUgly_Jo.............................................................74

Unashamed.B....................................................74

Unkempt.1350...................................................74

Unsnared.814....................................................74

Urkel.................................................................74

Uruguay.............................................................74

Usage of Anti-Virus Products...........................23

Uvjan.2246........................................................74

Uvjan.2262........................................................74

VV.814.................................................................74

V2P6.................................................................74

V-947................................................................74

Vacsina.1206.A.................................................74

Vacsina.TP-16.A...............................................74

Valentine.2332..................................................74

Vampiro.1000.A...............................................74

Vanitas.2048.....................................................74

VCL.541............................................................74

Vicodin.1168.....................................................74

Vienna.648.Reboot.A........................................74

Vienna.Bua........................................................74

Vinchuca.925....................................................74

VlamiX.1090.....................................................74

Voyage.1134.....................................................74

V-Sign...............................................................74

98



WW97M/Appder.A..............................................74

W97M/Appder.D..............................................74

W97M/Boom.A................................................74

W97M/CAP.C...................................................74

W97M/CMD.A.................................................74

W97M/Concept.BB..........................................74

W97M/Kompu.A..............................................74

W97M/MDMA.D.............................................75

W97M/Niceday.A.............................................75

W97M/NightShade...........................................74

W97M/Temple.A..............................................75

W97M/TWNO.A Tw........................................75

W97M/Wazzu.A...............................................75

W97M/Wazzu.C...............................................75

W97M/Wazzu.DL.............................................75

W97M/Wazzu.X...............................................75

Wazzu.......................................11, 12, 75, 80, 81

Wedding............................................................70

Weed.................................................................68

WelcomB....................................................13, 75

Werewolf.1168..................................................75

Werewolf.120....................................................75

Werewolf.1500.B..............................................75

Werewolf.684....................................................75

Werewolf.693....................................................75

What Are the Financial Costs of Viruses?........22

What Are The Organizational Effects of Viruses?...................................................................18

What Impact Do Viruses Have?.......................18

What is your Java/ActiveX Policy?..................34

Where Do They Come From?...........................16

Which Viruses are Most Common in 1998?.....12

Whisper.............................................................73

Whit...................................................................73

Win.Apparition.d..............................................75

Win32.Apparation.............................................75

Win95.Anxiety..................................................75

Win95/Anxiety.A..............................................75

Wix66

Wllop.................................................................72

WM (family).....................................................75

WM/ABC..........................................................75

WM/Actung......................................................75

WM/Alien.A.....................................................75

WM/Alliance.A.................................................75

WM/Ammy.A Tw.............................................75

WM/AntiNS......................................................75

WM/Appder (family)........................................75

WM/Appder.A..................................................75

WM/Appder.B..................................................75

WM/Appder.D..................................................75

WM/Appder.G..................................................75

WM/Appder.I....................................................75

WM/Appder.L...................................................75

WM/Appder.N..................................................75

WM/Appder.O..................................................75

WM/Bandung (family)......................................75

WM/Bandung.A................................................75

WM/Bandung.AX.............................................76

WM/Bandung.AY.............................................76

WM/Bandung.L................................................76

WM/Bandung.O................................................76

WM/Boom.A De...............................................76

WM/Buero.A De...............................................76

WM/CAP (family)............................................76

WM/CAP.A......................................................76

WM/CAP.D......................................................76

WM/Cebu.A......................................................76

WM/Clock.A De...............................................76

WM/Colors (family).........................................76

WM/Colors.A....................................................76

99



WM/Colors.AB.................................................76

WM/Colors.B....................................................76

WM/Colors.G....................................................76

WM/Concept (family).......................................76

WM/Concept.A.................................................76

WM/Concept.B.................................................76

WM/Concept.BB..............................................76

WM/Concept.BC..............................................76

WM/Concept.BK..............................................76

WM/Concept.BS...............................................76

WM/Concept.CC..............................................76

WM/Concept.F..................................................76

WM/Concept.J..................................................76

WM/Concept.K.................................................76

WM/Concept.Z.................................................76

WM/CountTen..................................................76

WM/Date.B.......................................................76

WM/Demon (family)........................................76

WM/Demon.A..................................................76

WM/Divina.A...................................................76

WM/Divina.C....................................................76

WM/Divina.D...................................................76

WM/Divina.K...................................................77

WM/Divina.N...................................................77

WM/DMV.E.....................................................77

WM/Doggie......................................................77

WM/Dub...........................................................77

WM/DZT (family)............................................77

WM/DZT.A......................................................77

WM/DZT.B.......................................................77

WM/Epidemic.A Tw.........................................77

WM/Goldfish (family)......................................77

WM/Goldfish.A................................................77

WM/Goldfish.C................................................77

WM/Goldfish.E.................................................77

WM/Goodnight (family)...................................77

WM/Goodnight.C.............................................77

WM/Goodnight.D.............................................77

WM/Goodnight.F..............................................77

WM/Goodnight.G.............................................77

WM/Goodnight.H.............................................77

WM/Goodnight.I...............................................77

WM/Goodnight.J..............................................77

WM/Goodnight.K.............................................77

WM/Guess.A Tw..............................................77

WM/Helper (family).........................................77

WM/Helper.A...................................................77

WM/Helper.B....................................................77

WM/HIAC.A....................................................77

WM/Hot.A........................................................77

WM/Hybrid.A...................................................77

WM/Hybrid.K...................................................77

WM/Imposter (family)......................................77

WM/Imposter.A................................................77

WM/Imposter.E................................................77

WM/Inexist.A...................................................77

WM/Influenza.B...............................................78

WM/Irish.A.......................................................78

WM/Johnny (family)........................................78

WM/Johnny.A...................................................78

WM/Johnny.A1.................................................78

WM/Johnny.B...................................................78

WM/KillLuf.A..................................................78

WM/Komcon.A................................................78

WM/Kompu (family)........................................78

WM/Kompu.A..................................................78

WM/Kompu.E...................................................78

WM/Kompu.G..................................................78

WM/Lunch (family)..........................................78

WM/Lunch.A....................................................78

WM/Lunch.B....................................................78

WM/Lunch.F.....................................................78

100



WM/Lunch.G....................................................78

WM/Ma.............................................................78

WM/Maddog.A.................................................78

WM/MDMA (family).......................................78

WM/MDMA.A.................................................78

WM/MDMA.AG..............................................78

WM/MDMA.AH..............................................78

WM/MDMA.AI................................................78

WM/MDMA.AK..............................................78

WM/MDMA.C..................................................78

WM/MDMA.D.................................................78

WM/MDMA.E..................................................78

WM/MDMA.F..................................................78

WM/Mtf............................................................78

WM/Muck (family)...........................................78

WM/Muck.D.....................................................78

WM/Muck.F......................................................78

WM/Muck.P......................................................78

WM/Muck.R.....................................................78

WM/Muck.S......................................................79

WM/Munch.......................................................79

WM/NF (family)...............................................79

WM/NF.A.........................................................79

WM/NiceDay (family)......................................79

WM/NiceDay.A................................................79

WM/Niceday.O.................................................79

WM/Niknat.A...................................................79

WM/Ninja (family)...........................................79

WM/Ninja.A.....................................................79

WM/NOP (family)............................................79

WM/NOP.A De.................................................79

WM/NOP.F De.................................................79

WM/Npad (family)...........................................79

WM/Npad.A......................................................79

WM/Npad.BR...................................................79

WM/Npad.D......................................................79

WM/Npad.DP...................................................79

WM/Npad.EQ...................................................79

WM/Nuclear.A..................................................79

WM/Nuclear.B..................................................79

WM/Nuclear.V..................................................79

WM/Oblom.H...................................................79

WM/Paycheck (family).....................................79

WM/Paycheck.A...............................................79

WM/Pesan.A.....................................................79

WM/Pesan.B.....................................................79

WM/Pesan.C.....................................................79

WM/Rapi (family)............................................79

WM/Rapi.A.......................................................79

WM/Razer.........................................................79

WM/Safwan.A..................................................79

WM/Schumann (family)...................................79

WM/Schumann.A.............................................79

WM/Schumann.C..............................................79

WM/Setmd.A Tw..............................................80

WM/Setmd.B Tw..............................................80

WM/Sharefun.A................................................80

WM/ShowOff (family).....................................80

WM/ShowOff.A................................................80

WM/ShowOff.C................................................80

WM/Showoff.CB..............................................80

WM/Showoff.CG..............................................80

WM/Small.A.....................................................80

WM/Surabaya.A...............................................80

WM/Switcher (family)......................................80

WM/Switcher.A................................................80

WM/Swlabs (family)........................................80

WM/Swlabs.B...................................................80

WM/Swlabs.E...................................................80

WM/Swlabs.G...................................................80

WM/Swlabs.I....................................................80

WM/Tao.A........................................................80

101



WM/Temple (family)........................................80

WM/Temple.A..................................................80

WM/Temple.F...................................................80

WM/Temple.G..................................................80

WM/Theatre.A Tw............................................80

WM/Theatre.B Tw............................................80

WM/Timid........................................................80

WM/Toten.A.....................................................80

WM/Toten.B.....................................................80

WM/Tunguska.A It...........................................80

WM/TWNO (family)........................................80

WM/TWNO.A Tw............................................80

WM/TWNO.AB................................................80

WM/Veneno.A..................................................80

WM/Vicinity.A.................................................80

WM/Vicinity.C.................................................80

WM/Wazzu (family).........................................80

WM/Wazzu.A...................................................81

WM/Wazzu.AV................................................81

WM/Wazzu.AW...............................................81

WM/Wazzu.BE.................................................81

WM/Wazzu.C...................................................81

WM/Wazzu.CA................................................81

WM/Wazzu.CL.................................................81

WM/Wazzu.DG................................................81

WM/Wazzu.DO................................................81

WM/Wazzu.E....................................................81

WM/Wazzu.F....................................................81

WM/Wazzu.H...................................................81

WM/Wazzu.O...................................................81

WM/Wazzu.P....................................................81

WM/Wazzu.Q...................................................81

WM/Wazzu.X...................................................81

WM/Weather.A Tw..........................................81

WM/Yaka.A......................................................81

WM/ZMB.A De................................................81

WM/ZMB.B......................................................81

WM/Zoolog.A...................................................81

Wonka...............................................................73

Worm

defined.......................................................86

Wwp..................................................................81

WXYC.A..........................................................81

XX97M/Laroux.A................................................81

X97M/Laroux.AA.............................................81

X97M/Laroux.D................................................81

X97M/Laroux.E................................................81

Xeram.1664.......................................................81

XM (family)......................................................81

XM/Laroux (family).........................................81

XM/Laroux.A....................................................81

XM/Laroux.AA.................................................81

XM/Laroux.AD.................................................81

XM/Laroux.AE.................................................81

XM/Laroux.AF.................................................81

XM/Laroux.AG.................................................82

XM/Laroux.AI..................................................82

XM/Laroux.AL.................................................82

XM/Laroux.AP.................................................82

XM/Laroux.AT.................................................82

XM/Laroux.AU.................................................82

XM/Laroux.D....................................................82

XM/Laroux.E....................................................82

XM/Laroux.G....................................................82

XM/Laroux.L....................................................82

XM/Nocal.A......................................................82

Xug.1500...........................................................68

Xuxa.1984.........................................................82

102



YYankee Doodle.TP-39.A...................................82

Yankee Doodle.TP-44.A...................................82

Yankee Doodle.XPEH.4928.............................82

Yesmile.............................................................82

ZZarma................................................................82

Zharinov............................................................70

Zielona..............................................................70

Zipper................................................................82

Zmaina..............................................................67

zoo 86

Zoo virus

defined.......................................................86

103



End Notes

8 A boot virus can be transferred by e-mail if a “dropper” is attached to the e-mail. When the attachment is run, the dropper can insert the boot virus in the appropriate sectors of the drive. Such transfer of boot viruses is extremely rare. Similarly, a boot virus may be downloaded if the downloaded file is a dropper. The spread of boot viruses via droppers via download is extremely rare.

13 1997: For the 34% of sites that experienced virus disasters, servers were down for an average of .66 hours – roughly 40 minutes. Most servers were not downed at all, and the longest downtime was 24 hours. Complete recovery took an average of 44 hours, 21.7 person-days of work, and an average of $8,366 in self-proclaimed costs. 1996: For the 29% of sites that experienced virus disasters, servers were down for an average of 5.8 hours. Complete recovery took an average of 44 hours, ten person-days of work and an average $8,100 in self-proclaimed costs.

19 Fewer PCs were represented in the 1998 survey (581,451) than in the 1997 survey (728,798).20 In 1997, the average respondent was responsible for 81 file and application servers. For 1998, responsibilities was

for about half that number (40.)21 In 1997, the respondents were responsible for a total of 24,270 file and application servers. For 1998,

responsibility was for about half that number (12,115.) This may be the result of fewer servers per organization (each server doing more), reduced responsibilities in this set of respondents, or a difference in respondent selection.

22 The correlation between the percentage of respondents with each of 15 pre-designated lines of business plus "other" (those shown in Table 25. Primary Line of Business) in the 1997 and 1998 studies is .946

104


icsa 1998 computer virus prevalence survey - security · web viewicsa 1998 computer virus...

Documents