WPCme 2GBVNIZ3|Hman7oC2co\  PCXP"S^2CRddCCCdq2C28dddddddddd88qqqYzoCNzoozzC8C^dCYdYdYCdd88d8ddddCN8ddddY`(`lC2CC!CCCCCCCCCCd8YYYYYYzYzYzYzYC8C8C8C8ddddddddddYdddddodYYYYYYdzYzYzYzYdddddddCdCdCCCdNCdz8zCzCzCz8dddddCCCoNoNoNoNzCzCzCdddddzYzYKF2[dCYddddd7>xxdxdxx$YYdCCddooCYtqnnnxqyyy2Pn7c1Rn1znnsnHP LaserJet 4M (PostScript) [IINTX]HPLASIIN.PRSo\  PChhhh"nXP2ytv ~ 3'3'Standard6&6&StandardaserWriter IINTX+ +3|H+^2(z.`heading32 T  Times RomanTimes Roman ItalicHelveticaHelvetica BoldCourierTimes Roman BoldTimes Roman Bold ItalicHelvetica ObliqueHelvetica Narrowfooter'M5'%#eI*f9 xC"X##o\  PCcXP#heading1='g3wo #2PkCEP#  #o\  PCcXP#2ZI" Ik I heading2=f3y #:s2PkCXP#  #o\  PCcXP#"S^*8]SS888S_*8*.SSSSSSSSSS88___SxoxxofASoxfx]oxxxxo8.8aS8S]J]J8S].8].]S]]JA8]SxSSJB%BW8*888888888888].xSxSxSxSxSxxJoJoJoJoJA.A.A.A.x]SSSSx]x]x]x]xSxSx]SSxSxSf]xSxSxJxJxJxJx]oJoJoJoJSSSSS]]A]A]A8A]S8]o.o8o8o8o.x]x]x]SSxxJxJxJ]A]A]A]Ao8o8o8x]x]x]x]xxSoJoJK:*ZS8SSSSSS27xxSx}}Sxx.SSS88SS]]8St_\\\x_eee*C\.wR)Ewn\1fy\r\`{v\r"S^2CTddCCCd2C28ddddddddddCCdzzzzCYozzdozzooN8NTdCddYdY8dd88Y8ddddNN8dYYYNP7PlC2CCx!CCCCCCCCCCd8zdzdzdzdzdYzYzYzYzYC8C8C8C8dddddddddoYzddddoYdzdzdzdYYYYdzYzYzYzYdddddddCdCdCCCdYCYo8oCoCoCo8dddddzNzNzNdNdNdNdNoCoCoCddddoYoNoNKF2idNdddddd7>xxdxdxx+oodCCddddCotnnnxyyy2Pn7c1Rn1znnsn"S^2CRddCCCdq2C28dddddddddd88qqqYzoCNzoozzC8C^dCYdYdYCdd88d8ddddCN8ddddY`(`lC2CC!CCCCCCCCCCd8YYYYYYzYzYzYzYC8C8C8C8ddddddddddYdddddodYYYYYYdzYzYzYzYdddddddCdCdCCCdNCdz8zCzCzCz8dddddCCCoNoNoNoNzCzCzCdddddzYzYKF2[dCYddddd7>xxdxdxx$YYdCCddooCYtqnnnxqyyy2Pn7c1Rn1znnsn2G Z/zIHP LaserJet 4M (PostScript) [IINTX]HPLASIIN.PRSXp\  PZuhhhh"nXPheading4V@ d  3'3'Standard6&6&StandardINTX]HPLASIIN.PRSXp\ + "S^*8DSS888S^*8*.SSSSSSSSSS..^^^Jxooxf]xx8Axfxx]xo]fxxxxf8.8NS8JSJSJ8SS..S.SSSS8A.SSxSSJP!PZ8*888888888888S.xJxJxJxJxJooJfJfJfJfJ8.8.8.8.xSxSxSxSxSxSxSxSxSxSxJxSxSxSxSxS]SxJxJoJoJoJoJxSfJfJfJfJxSxSxSxSxSxSxS8S8S888SA8xSf.f8f8f8f.xSxSxSxSxSxo8o8o8]A]A]A]Af8f8f8xSxSxSxSxxSfJfJK:*LS8JSSSSS.4xxSxSxxJJS88SS]]8Jt^\\\x^eee*C\.wR)Ewn\1fy\r\`{v\r2y%ITitle*oD*X#2PkCT P# #o\  PCcXP#personal*q`'#]\  PC-P##]\  PC-P#"S^*8FSS888Sq*8*.SSSSSSSSSS88qqqSffoxffxx8Jo]oxfxfS]xff]]A.AFS8SSJSJ.SS..J.xSSSSAA.SJoJJAC.CZ8*88x8888888888S.fSfSfSfSfSooJfJfJfJfJ8.8.8.8.oSxSxSxSxSxSxSxSxS]JfSxSxSxS]JxSfSfSfSoJoJoJoJxSfJfJfJfJxSxSxSxSxSxSxS8S8S888SJ8oJ].]8]8]8].oSoSoSxSxSofAfAfASASASASA]8]8]8xSxSxSxSo]J]A]AK:*WSASSSSSS.4xxSxSxx$]]S88SSSS8]tq\\\xqeee*C\.wR)Ewn\1fy\r\`{v\rTerminal''#d6X@C@##o\  PCcXP#2 ^ "S^AASϜ4NN[ANAAAA휜Au¨ܜAAAmNuA44u4‚NuAuuuuN=NNANN'NNNNNNNNNNAϨuAAAAAAAAuuuuuuNNNNAuNu4NNN4ܨNNNuuuuNNNܨuuuKRA}NVUxxxxx-NNNNuu4NMinor Headin j Major Headin *!*#2PkC EP# # o\  PCcXP#"^JJ_;YYhJYJJJJJJJJ}YJ;;;YJYEYYJYY -YYYYYYYYYYJ JJJJJJJJYYYYJY;YYY; YYYYYYK]JYcaxxxxx3YY YY  ;Y 2% !" J$"^JY~JYYhJYJJYYJYJYJYJJJhYhKhYJYY -YYYYYYYYYYJ JJJJJJJJYYYYJYJYYYJ hhhYYYK]JYcaxxxxx? YY  J "S^ANoϨANN[ANAANN䨨A¨ܜNANANAAAϏ[Nu[A[NANN'NNNNNNNNNNAϨAAAAAAAAxNNNNANANNNAܨ[[[NNNܶuuKRANVUxxxxx8uuNNAu"S^88Goo,CCNu8C88oooooooooo88uuuo˅z8dozz888^oCoodoo8oo,,d,ooooCd8oddddC4CuC8CC!CCCCCCCCCCz8oooooȲdoooo88888888ooooooooodoozodooooddddooooooooooooCzCzCC8zdCdo,oCoCoCo,oooooȽCCCddddzCzCzCoooodzdzdKF8koCzoooooJIxxoxoxx&CCoCCoodd,C"S^8C_oo8CCNu8C88ooooooooooCCuuuzÐz8ozzzC8Cuo8ozozoCzz88o8zzzzNoCzooodN8NuC8CC!CCCCCCCCCCz8oooooȲooooo88888888zzzzzzzzzoozzzgzzoooooozoooozzzzzzzCzCzCC8zoCoz8zCzCzCz8zzzzzȽNNNoooozCzCzCzzzzozdzdKF8ooCzoooooJIxxoxoxx0ddoCCoozz8d2*. ^&Iz& I( +abstract "S^(1<YJ)A2p}wC L9NAE2PkCP6NA)qʙ2p}wCW!C(#AC\  PChPL 1sC8:s2PkCXP !/xC8)!:x2p}wCXTr5ddd8d6X@C@7tC2@wt4  p(ACX<5nC2 n*f9 xCXXL/aoet2PkCP3]o)Wt2p}wCy.a8*@&a4  p(ACz-]8*Qվ]9 xICLNkY2PkCP/aoiJt2x(CXNkYiF2x(CXLQo](2PkCPQo]if2x(CXAYJiF2x(C XL{y I 2PkCPt,)ő,2p}wC<7b#I,! "eI*f9 xCX[~)N-&{ NxzPCP\a$J,!CeJ\  PCP]a$M,!@WeM4  p(ACN;$4;\  PC@P%W2ke   L bD M5footer#eI*f9 xC"X#Computer Viruses: Beyond the First DecadeaC`"lAllan G. Dyer%footer#o\  PCcXP#  hX # 2PkCIP#6Ԇ Computer Viruses: Beyond the   >v First Decade Da  r? *5#2PkC(P#Allan G. Dyer MHKCS, MIAP, AIDPM, MSc. (tech), B.Sc. :D Technical Consultant Da ; adyer@yuikee.com.hk <Yui Kee Co. Ltd.  be *(Regional Distributor of F-PROT AntiVirus Software) Da  X ,a #o\  PCcXP#XX` ` ! Technical Areas: Computer Viruses, Security Threats, Social and Technical Aspects affecting their Spread.b` 311hh    XVirus Basicsƺp(!"v 3 XX` ` !Viruses Spreadingƺ` `!"x3 XX` ` !Virus Writersƺ` `!"x3 XX` ` !Chinese Word Macro Virusesƺ` `!"x4 XX` ` !X )` ` !Behavior of MacroCopyƺ `!"x4 XX` ` !X )` ` !Other Incompatabilitiesƺ `!"x6 XX` ` !X )` ` !ƺ `!"x6 XInternet Threatsƺp(!"v 6 XX` ` !Deliberate Spreadƺ` `!"x6 XX` ` !X )` ` !Hare Virusƺ `!"x6 XX` ` !X )` ` !Phalcon.1168ƺ `!"x7 XX` ` !Accidental Spreadƺ` `!"x8 XX` ` !InternetSpecific Virusesƺ` `!"x9 XX` ` !X )` ` !ShareFunƺ `!"x9 XX` ` !Problems that Aren't Virusesƺ` `J!"w10 XX` ` !The Future on the Internetƺ` `J!"w10 XX` ` !X )` ` !The Webƺ `J!"w11 XX` ` !X )` ` !Internet Commerceƺ `J!"w11 XThe Size of the Virus Problemƺp "u 12 XX` ` !AntiVirus Solution Providersƺ` `J!"w12 XX` ` !The Wildlistƺ` `J!"w12 XX` ` !Independent Surveysƺ` `J!"w13 XX` ` !X )` ` !Computer Crime and Security Surveyƺ `J!"w13 XX` ` !X )` ` !Computer Virus Prevalence Surveyƺ `J!"w13 XX` ` !X )X2 )The Virus Problem is Getting Worseƺ XX` ` !X )X2 )Macro Viruses are Growing Fastestƺ XX` ` !X )X2 )One Third had a "Disaster"ƺ XX` ` !X )X2 )Diskettes from Home Top Source of Infectionƺ XX` ` !X )X2 )Important Conclusionsƺ XX` ` !Hong Kong Surveysƺ` `J!"w14 XX` ` !X )` ` !Macro Viruses in Hong Kongƺ `J!"w15 XThe Costs of Virusesƺp "u 15 XX` ` !Case 1: A small Solicitor's Office, no antivirus softwareƺ` `J!"w16 XX` ` !Case 2: A large Organisation, poorly designed antivirus protectionƺ` `J!"w16 XX` ` !Efficient Protectionƺ` `J!"w17 XConclusionsƺp "u 17 XReferencesƺp "u 17 XAppendix A: Survey Detailsƺp "u 18 XX` ` !Resultsƺ` `J!"w21 XX` ` !X )` ` !Organisation Informationƺ `J!"w21 XX` ` !X )` ` !Antivirus Informationƺ `J!"w22 XX` ` !X )` ` !Macro Viruses at HKC97ƺ `J!"w24 ,311hh  _ ԊX1Í.X1Í.Sa0oDTitle#2PkCT P# Computer Viruses: Beyond the First Decade~XTitle #o\  PCcXP#ۃ  X, Allan G. Dyer personal#]\  PC-P#MHKCS, MIAP, AIDPM, MSc. (tech), B.Sc.gq`personal#o\  PCcXP# adyer@yuikee.com.hk Yui Kee Co. Ltd. The virus problem for PC users started ten years ago in 1987. Since then, the number of viruses and the size of the problem has skyrocketed. However, behind the enormous growth, a lot more complex processes have been occurring. By examining these, we can develop an efficient strategy to reduce the costs of viruses in the future. 'gheading1  Wt #2PkCEP# Virus Basicswoheading1 #o\  PCcXP# Dr. Frederick Cohen made the definition, "A virus is a program that can 'infect' other  XP programs by modifying them to include a, possibly evolved, version of itself."F _11 ׍XFrederick B. Cohen, 'A Short Course on Computer Viruses', second edition, Chapter 1, John Wiley & Sons Inc., (1994). This  X9 definition has practical flawsF 11 ׍X'Frequently Asked Questions on Virus-L/comp.virus', Release 2.00, section B1, maintained by Nick FitzGerald, (1995), so, for the purposes of this paper, a virus meets Dr. Cohen's definition, AND was deliberately designed to replicate. Viruses become common and die out, some viruses that were a major problem a few years ago are now (almost) never seen. Unfortunately, this is not because antivirus software has been successful at killing them off, but because the environment that allowed them to spread  X has disappearedF 11 ׍XSteve R. White, 'Computer Viruses: A Global Perspective', Proceedings of the Virus Bulletin Conference, pp165181 (1995). The Brain virus infected floppy disk boot sectors but not hard disks, it disappeared when hard disks became common and people stopped regularly booting from floppies. Many file viruses became less common when Windows became popular, because they could not infect the New Executable file format correctly, or they caused other incompatibility problems in Windows. The original Stoned virus has also declined, because it does not infect 3.5" diskettes correctly, so as 5.25" drives disappeared, so did Stoned. It is, therefore, useful to classify viruses by the environment they require, boot sector viruses require a PC/BIOS compatible machine, the old file viruses require DOS interrupt compatibility, the DIR II cluster virus requires a FAT partition. As new environments emerge, viruses writers will take advantage and develop new types of viruses for them. Microsoft Word macro viruses are the most obvious example of this, and Microsoft's intention to make Visual Basic for Applications (VBA) a crossapplication language widens the possibilities for virus writers. fheading2  PV #:s2PkCXP# Viruses Spreading+yheading2 #o\  PCcXP# In terms of epidemiology, computer viruses are very like their biological counterparts. In order for a virus to spread successfully, there must be a sufficiently large susceptible population, and a route for the virus to move between machines. Although it is technically possible to write an NLM virus, we do not expect one to cause a big problem because Netware administrators do not exchange NLM's frequently. In the DOS environment, conditions are excellent for the spread of viruses, there are millions of potential victims, and exchange of programs and diskettes is common. If we look at the same criteria for Word Macro viruses, the Word environment is very common, and people exchange Word documents far more than they exchange binary programs or diskettes. Clearly, the virus problem is negligible for Netware NLM's, very big for DOS and even bigger for Word Macro viruses. fheading2  P, #:s2PkCXP# Virus Writers"yheading2 #o\  PCcXP# But the analogy with the biological world is not complete, for there to be a computer virus problem in the first place, there must be people writing them. The number of virus writers for a particular environment can be related to the availability of the environment, and the0311hh availability of programming tools and information. There have been thousands of DOS file viruses written because every copy of DOS contains the basic tools required, DEBUG, and a great deal of information on DOS internals is cheaply available. Only a few native Windows viruses have been written, it is more expensive to get the tools to create Windows executables and difficult to get the internal details of Windows required. Word Macro viruses increase the potential number of virus writers. Everyone who has a copy of Word has the tools to create a macro virus, and they do not have to understand Assembler, they can use Basic. This creates a new class of virus writers. Out traditional picture of a virus writer is a teenager interested in programming, maybe doing it "for fun", or with a sense of rebellion. Basically a young person who has developed the technical capabilities, but has not yet developed ethically enough to know not to. Word Macro viruses lower the barriers to investigating viruses, they carry their source code with them, and Word will let you edit it. It is therefore very easy for, say an IT Manager, to start off curiously looking at the code, and then to make a change what would happen if... At that point, a new variant of the virus has been created, it becomes another addition to the flood of new viruses that professional researchers and  Xb product developers must classify, investigate and protect againstF -11 ׍XSarah Gordon, 'The Generic Virus Writer II', Proceedings of the Virus Bulletin Conference, pp177188 (1996). It is irrelevant that the creator does not intend to spread it, that seems to be the case for most viruses (there are more than 11,000 known viruses, but only a few hundred have ever been confirmed as spreading in the wild), we cannot know the creator's intentions, and accidental spread can also happen. Therefore, we must be very clear that writing or modifying selfreplicating code is dangerous and unnecessary. fheading2  P #:s2PkCXP# Chinese Word Macro Viruses,yheading2 #o\  PCcXP# There have been a few viruses that are recognisably Chinese, either displaying Chinese texts or showing other features that indicate a regional origin. However, generally they are not a special concern for Chinese computer users most viruses are not limited by the nationality of their victim. The Chinese Word Macro Viruses are different in this respect, they are limited in spread by the availability of their environment. The ability of macro viruses to cross the language  X version barriers was investigated by the authorF 11 ׍XAllan Dyer and Motoaki Yamamura, 'Macro Viruses in Double-Byte Languages: Technical and Social Aspects Limiting their Spread', Proceedings of the Virus Bulletin Conference, in press (1997). There are four main Word environments in use in Hong Kong, English, Traditional Chinese, Simplified Chinese and English with Chinese enabling software (Twin Bridge, Rich Win or similar). English Word with Chinese enabling software will be the same as Emnglish Word for macro virus compatability, but in social terms it does split the user environment further. Each of the double-byte versions of Word can open English Word documents and templates, and the macros will exist unchanged. If the document is then saved in the double-byte version of Word, it will be saved as a double-byte document. An English macro virus can therefore be transferred into Chinese Word very easily. Whether it can then replicate is another story. In the other direction, it is impossible for a Chinese Word macro virus to spread to English Word simply because English Word is not capable of opening Chinese Word documents. 2heading3  X*  Behavior of MacroCopy4Theading3  There are several reasons why many macro viruses do not replicate on the double byte versions of MS-Word. Although this may occur due to some compatibility in the macro language, the main reason why most macro virus do not replicate under Chinese MS-Word is the variables used by the MacroCopy function. =0311hhԌIn order to copy a macro to the global template or to another template, the function MacroCopy is used. MacroCopy function copies a macro from one open template to another. Here is the format of the function.  r5 code#d6X@C @#MacroCopy [Template1:]Macro1$, [Template:]Macro2$ [,ExecuteOnly]6q^code# o\  PCcXP# A typical macro such as WM.Concept.A virus will have a code similar to the following to infect the global template.  r5 code#d6X@C @#sMe$ = FileName$() sMacro$ = sMe$ + ":AutoOpen"  r5k MacroCopy sMacro$, "Global:AutoOpen".8q^code# o\  PCcXP# In this code, the MacroCopy function is trying to copy "sMacro$" which would be FileName$()+":AutoOpen" to "Global:AutoOpen". By specifying "Global" variable as the destination template, MacroCopy will copy the macro to normal.dot file which is the global template in MS-Word. The "Global" variable does not work in Chinese Word, but there is another way to get around this. This method will work under Chinese and English MS-Word. Such a macro will have a code similar to the following to infect the global template.  r5, code#d6X@C @#sMe$ = FileName$() sMacro$ = sMe$ + "AutoOpen" MacroCopy sMacro$, "AutoOpen" F;q^code# o\  PCcXP# As you can see, the variable "Global" is not specified. When the destination template is not specified, MacroCopy function will default to copying the macro to the global template. It is impossible to speculate if the author of the virus did it intentionally or not to support various versions of MS-Word. But the author would probably not spend the time or money to try testing the viruses under different languages version of MS-Word. Viruses such as WM.Cap uses this method. Table 1: MacroCopy in different MS-Word versions: 2table#NxzPC P#0 Y ddx !ddx;  """Y    Language"- Version"=bMacroCopy "file:macro", A{"Global:macro"S"YMacroCopy "file:macro", "macro" P ; English"0k 6"HY"hZYP P S Traditional Chinese "0k 6 "HN "hZYP P  Traditional ChineseC""0k 7C""HNC""hZYP `   Traditional Chinese#"/E 97#"HN#"hZY`  C"C>table0#o\  PCcXP# Table 2: Behavior of Example Macro Viruses in Traditional Chinese MS-Word versions table#NxzPC P# m !ddx;  """ Addxu%v22"""""""m `    C""&"WM.Concept.A&",L WM.Concept.O1 :Tw'"<WM.Concept.?Ai:Jp'"LbWM.CAP.A'"ZAWM.Twno.A:Tw'"k-WM.Wazzu.J P u%"6.0(" Not Infected(", Not Infected("<Cannot Open("LInfected("\1Infected("jKNot InfectedP P '"7.0-*" Not Infected-*", Not Infected-*"<8Disinfected-*"LInfected-*"\1Infected-*"jKNot InfectedP `  ("97+"-Disinfected+"- Disinfected+"<8Disinfected+"KjDisinfected+"[Disinfected+"knDisinfected`  -*'Ctable#o\  PCcXP# "Not Infected" indicates that the virus did not replicate to new documents but the viral macros were still present when the document was saved using that Word version. In this situation the virus does not spread further, but activation routines could still be triggered. Disinfected indicates the macros were not present when the document was saved using that Word version,  X0 this is a feature of Word 97TQH J!11 ׍ "The Word of the Day", Virus Bulletin March 1997 pp67T.0311hhԌ X 2heading3ٙ Other IncompatabilitiesKTheading3  There are some other difference in the macro languages. Traditional Chinese Word defines at least two functions that are not in other Word versions. Cdate$(x) returns the current date in different formats depending on the number x, including ones using the Republic of China calendar and Chinese characters. Ctime$(x) returns the current time in different formats depending on the number x, including some using Chinese characters. There is no unified list of which Word functions are available in which Word versions. These differences are another compatability obstacle between the Word versions. 2heading3  X  lNTheading3 To date, there have only been a few verified reports of Chinese Word Macro Viruses in Hong Kong, but the survey reported below indicates that they are already a serious problem for Chinese Word users. 'gheading1  W #2PkCEP# Internet ThreatsOwoheading1 #o\  PCcXP# The attraction of a toplevel conference and exhibition is to see and hear about all the latest developments that will make life so much easier for us. In the field of communications, the growth in Internet usage in the past two years has been phenomenal to someone, like me, who has been using the Internet for 13 years in various ways. Amid so much enthusiasm, it seems contentious to point out the dangers. The Internet is proving itself to be excellent at improving communications, however, just as easy travel quickened the spread of plague between human communities, the Internet makes it easier for viruses to spread. Connectivity equals Vulnerability. There are three aspects to this, deliberate spread, accidental spread and viruses that have Internetspecific features. fheading2  P #:s2PkCXP# Deliberate SpreadSyheading2 #o\  PCcXP# The virus writer who wants his creation to spread has a difficult task of initial distribution without getting caught. Just borrowing peoples machines and infecting them is slow and dangerous, someone might notice things started going wrong just after the virus writer's visit. Many of the most common viruses have benefitted from mass distribution, often a "lucky break", such as infecting the master diskette at a software distributor's factory. Once a virus has been widely distributed, it is likely to survive a long time in the wild. The Internet gives the virus writer another solution to this problem, it can utilised by virus writer to achieve a wide initial spread with virtually no chance of being caught. We will look at the case of the Hare virus in detail. 2heading3  Xr%  Hare VirusWTheading3  This virus achieved quite a bit of publicity August and September 1996 because of it's activation dates. Unfortunately, locally the name was translated to Chinese as "wild rabbit", as in hare. The name given to the virus was supposed to be Hare, derived from texts in the virus "Hare Krsna, hare, hare...", but these translation confusions sometimes occur. The first variant of Hare was found in the USA in May 1996. Very shortly afterwards, there were reports worldwide. A second variant, Hare.7550 was found in June, and this was traced to faked posts in three newsgroups on the 26 June 1996. A third variant, Hare.7786, was found and traced to faked posts in the alt.crackers newsgroup on 29 June 1996. u/311hhԌMost often, mass distributions of viruses on the Internet have been done via the news groups. It is relatively simple to create a newsgroup message and conceal your identity, a virus writer would do this and include his latest virus in the message. The message will then be distributed worldwide. Of course, the virus cannot do anything until it is unpacked and executed, so the message has to encourage the user to do this. Also, if the message is on a "forbidden" newsgroup, the virus can benefit from a reluctance of the victim to admit where he might have got it from, thus slowing down or preventing a warning being posted on the group. It looks like the virus author has tried to use this effect in his choice of newsgroups: alt.cracks and alt.crackers are underground technical discussions, and alt.sex is, obviously, an explicit sexual group. So the writer of Hare had everything set up for a large initial distribution in May and June followed by destructive activation on 22 of August and September. Did you notice a massive disaster on those dates? It did not happen, but why? One theory would be that, after the alarm was raised, the antivirus developers released an updated version that thousands of people used to avert the disaster. Yes, every antivirus developer released a new version (some released a free version, as a service to the community and an advert), and thousands of people downloaded them. By the 22 August, there had been more than 30000 recorded downloads from Data Fellows's European server alone, and other antivirus developers saw similar traffic. Presumably, most of those people checked their own machine, and maybe machines throughout their organisation. A few people reported finding and cleaning it before the activation, and, from reports collected from various antivirus  X developers, there were perhaps 16 activations worldwideQH "11 ׍XCommunications on the FPROTPartnerTechForum mailing list, (22 August 28 August 1996). Even allowing for gross underreporting, Hare was not a common virus. On the second activation date, 22 September, even less was reported. This year, there have been no reports. There seem to be two factors involved in Hare's failure: 1.XReaders of the alt.cracks and alt.crackers newsgroups are quite technically aware, and also aware that other members of the group enjoy such dubious activities as pirating software and breaking into computers. They are probably mostly cautious about what they download and how they use it. The initial distribution, although worldwide, was probably a smaller number than expected." 2.XThe Hare virus had bugs and failed to replicate on many machines. This limited it's spread beyond the initial distribution." 2heading3  X#  Phalcon.1168eTheading3  More recently, the Phalcon.1168 virus was distributed in a file ICQ.ZIP on the 15 August in the following, mainly Hong Kong, newsgroups: hk.entertainment alt.chinese.computing alt.chinese.text.big5 aol.buy.and.sell asiaonline.buy.and.sell chinese.comp.software hk.biz.general hk.chinese hk.comp.chinese hk.comp.hacker=0311hhԌhk.comp.hardware.datacomm hk.comp.mac hk.comp.mpp hk.comp.os.linux hk.comp.pc The message was a reply to a Chinese question on how to use the ICQ Internet service for free. The attached ZIP file contained two files, ICQ.COM which was the Phalcon.1168 virus and ICQ.DOC, which appears to be the original virus writers documentation for the virus. Although it was crossposted to so many newsgroups, there have been no resulting incidents of Phalcon.1168 reported. There has not yet been a documented major incident from this type of deliberate spread. However, the risks still exist and another virus may do better by this method in the future. It is important to educate Internet users to be cautious when downloading files, including documents that might be infected with macro viruses. In other words, "Don't take sweets from strangers". fheading2  PK #:s2PkCXP# Accidental Spread:kyheading2 #o\  PCcXP# Far more significant in terms of the number of incidents caused is ordinary users and companies distributing viruses to contacts inadvertently. Macro viruses are particularly easy to spread as sending a Word document by email is beginning to challenge the fax machine as the de facto standard in exchanging business information. As just one example, the I received some of the details for this conference as a Word document infected with WM/CAP.A attached to an email message. Therefore, the biggest element in reducing the cost of viruses today is in slowing down the spread of Macro Viruses. Surprisingly, there is available a simple method to stop macro viruses that every user can apply. We can call this Public Health measures, just like with the AIDS awareness campaigns, we can all tell our users how to behave safely. If everyone did this, the spread of Word Macro Viruses would be dramatically reduced. The method is simple stop exchanging Word documents. Am I asking everyone to take a step backwards from the highly convenient electronic document exchange? No. The exchange of Word documents is how Word Macro viruses have become the commonest type of virus around. I am not saying stop using Word, or stop exchanging documents. Just choose a different file format when saving, one that does not support macros. Rich Text Format is a good choice, it was designed for document exchange, it does not support macros, and it is supported by other wordprocessors. As an additional advantage, it is quite standard between different versions of Word, so you might find it solves your problems when Word 97 users pass documents to users of earlier versions too. So, always Save As RTF, and you can be certain that you will never pass on a Word Macro Virus. Only accept RTF files from colleagues and you will not get a new Word Macro Virus. Does this simple method make antivirus software and antivirus researchers obsolete? No, firstly, these methods do not get rid of viruses that are already there, they just make it difficult for them to spread further. The virus that was on the machine before you started doing this still needs to be dealt with, it might activate and cause damage later. Secondly, they depend on the user always doing the right thing. Sooner or later there will be anT/311hh unavoidable exception, a Word document from an important client that cannot be asked for again, or a new secretary who does not know the security policy yet. The benefit of this policy is that the number of opportunities for macro virus exchange are reduced, which reduces the number of incidents and therefore reduces our time and costs in handling the incidents. I recommend this as one point in your organisation's antivirus code. fheading2  P_ #:s2PkCXP# InternetSpecific Virusesvyheading2 #o\  PCcXP# Almost any virus can benefit from being sent to another victim via a network. However, it is also possible to write a virus with the specific intention of maximising the use of this transmission method. WordMacro/ShareFun is the first example of what can be considered to be mix between a macro virus and an automatic chain letter. 2heading3  X  ShareFun-yTheading3  ShareFun appeared earlier this year. It uses some new techniques that have not been seen in viruses before, but which have been discussed by antivirus researchers in "Nightmare Sessions". The virus is WordMacro/ShareFun.A, it is a Word Macro virus, similar to WordMacro/Wazzu. However, every time an infected file is opened, there is a 1/4 chance that the virus will activate. If Microsoft Mail is running, the virus attempts to send e-mail messages to three random people listed in the local MSMail alias list. The subject of the messages will be  r5 XTerminal#d6X@C @#You have GOT to see this!{Terminal# o\  PCcXP#" The message will contain no text, only a file attachment called DOC1.DOC, which is infected by the virus. The document itself is the document that user happened to have open when the virus activated. If the receiver double-clicks on the attachment, he will get infected by the virus and will spread the infection further with his own MSMail. Thus, ShareFun can be considered to be mix between a macro virus and an automatic chain letter. Do notice that this is not an "e-mail virus". You do not get infected by just reading e-mail - you need to actively use an attachment file and you should always approach attachment files with caution. ShareFun also has code to protect itself. If a user tries to analyse a sample of the virus via Tools/Macro or File/Templates menus, the virus will execute and infect the NORMAL.DOT template. Consider some of the implications of this: 1.XInfected users of MSMail will spread the virus to their contacts very quickly. MSMail is a popular email program, so we could have a major epidemic in a very short time." 2.XThe virus sends copies of the document being used to random addresses from the alias list. The document could be confidential, and the alias could be for an outside contact or even a large distribution list."/ 311hhԌHowever, the virus only works with English Word and English MS Mail, and it does not work with MS Exchange. Of course, a new variant could change any of these. ShareFun has not caused a major epidemic and I have had no reported incidents in Hong Kong. Probably, the diversity of email programs in use has prevented an explosion of incidents in the same way that a moderator in a nuclear reactor controls the chain reaction and prevents an explosion. However, it seems likely that we will see more of this type of virus in future. fheading2  P1 #:s2PkCXP# Problems that Aren't Virusesyheading2 #o\  PCcXP#  X An additional problem with viruses from the Internet is, paradoxically, things that are not  X viruses! Specifically, hoax warnings about fictional virusesqQH %11 ׍XHoax warnings on the run, http://www.datafellows.com/news/hoax.htm (1997)q. You have probably received the "Good Times" virus warning more than once, but there are others, at the beginning of September I saw a rash of warnings that were combined from several older warnings, including "Join the Crew" and "Penpal Greetings". In general, these warnings contain false information that looks valid to an ordinary user, but usually is obviously fake to a technical person. The message explains how terrible the new virus is, and tells the user to forward the message to all his friends. The ordinary user often forwards it to his entire address book, and then calls up technical support for help. Thus, the hoax is perpetuated and everyone's time is wasted. The Good Times hoax has undoubtedly wasted more time than most viruses. It is interesting the way there are outbreaks of these hoaxes, we suddenly get copies of a warning from many different sources over a couple of weeks and we spend time explaining that it is not real. Slowly, the warnings subside, either because it is "old news" or our reassurance has worked. Then, a few months later, there is a new warning message (often with many of the same elements) and the cycle repeats. Why is it so attractive for users to pass these messages on? Possibly because they all talk  XN about an identifiable threat, watch out for a message with the subject "Good Times", or "Join  X7 the Crew" or "Penpal Greetings" or "Hacker Riot". It then gives a simple solution that anyone can follow, usually, "delete the message without reading it". Overall, it tells people what they believe, "the world is a dangerous place", and what they want to hear, "and you can protect yourself". In the real world, these messages have some truth, but we need better protective measures than deleting email at random. It is difficult to prevent the propagation of hoaxes, but we can advise users to check warnings with a technical advisor before passing them on. fheading2  Ph$ #:s2PkCXP# The Future on the Internet΍yheading2 #o\  PCcXP# As already stated, viruses are dependant on a particular environment to spread, so the increasing number of Internet applications may be creating new environments that new types of virus can exploit. Can we, therefore, expect to see a RealAudio or a JPEG virus? Simply, no, because everything in a RealAudio stream or a JPEG file will be interpreted as data, defining a sound or a picture, respectively. There is nothing in the definitions of these formats that allow instructions to allow one such object to create or modify other examples of these objects, so there is nothing a virus writer could exploit to create a virus. Naturally, it might be possible to introduce invalid data that would cause the program attempting to decode the data to crash, but this is a simple Denial of Service attack, and it is outside the scope of this paper. =0 311hhԌ X 2heading3ٙ The Web:Theading3  The World Wide Web is currently based on HTML, Java and ActiveX. These are programming languages, so what are the possibilities for viruses? HTML is not a sufficiently featured language to allow one Web page modify another, so it cannot support a virus. Java and ActiveX certainly have sufficient features. ActiveX approaches security by having signed code, guaranteeing that the recipient knows which company produced the applet and that it has not been modified. Once a user has decided that a software producer is acceptable, they have no control over what the applet can and cannot do. This approach offers no protection against a virus introduced at the development stage of an applet. The fact is that there are many documented cases of software manufacturers inadvertantly distributing today's viruses, we have no reason to suppose that they will suddenly become perfectly secure. The developer of an applet must be using an environment that allows unsigned code to be run, so a virus infecting the developers machine can infect all applets produced by him. When the signing takes place, infected applets will be signed and users will be vulnerable to the virus payload. Users who suffer damage will be able to prove the source of the infected applet, but this does not lessen the damage and the virus writer cannot be traced. Developers of ActiveX applets are put in a difficult position: they have no way of ensuring their applets are uncontaminated, but are still responsible for any harm caused. The security model used by the applet form of Java, JavaScript, restricts the actions of downloaded applets in conceptual sandboxes. Selfreplicating code cannot escape from the sandbox, so a virus does not have a route to spread. Of course, specific implementations of the language may have bugs that compromise this security. Such bugs have already been found in some implementations, but they are somewhat versionspecific, and a fix is normally published quickly so they offer little for the ongoing spread of a virus. 2heading3  Xe  Internet CommerceTheading3  Internet commerce is not a single, homogenous environment. Rather, it is a collection of protocols, appilcations and techniques used in conjection to facilitate a business process. As such it is subject to the security limitations of it's components. Looking at each component in terms of computer viruses: 1.XThe messages are data that could not support a virus." 2.XThere will probably be a client application that is distributed to all users of the commerce service. It could be infected by a virus, if it was infected before distribution large numbers of users could be affected." 3.XIf the goods being sold are software, they might be contaminated." However, these are merely the ordinary problems of software distribution. A more critical problem is that rouge software on users machines could attempt to snatch keys or pass phrases and transmit them to a criminal. A virus would be an ideal method of delivering such rouge software. The virus would not have to use the Internet for replication, it could be a boot sector or macro virus, however, the payload would recognise when the victim Commerce Client was present on a machine and attempt to gather enough information to allow fraudulent transactions to be made. After transmitting the information, it might erase itself to hide the fact that anything happened. The point is that developers of commerce software must assume that it will be running in a hostile environment. 'gheading1k. 311hhԌ W #2PkCEP# The Size of the Virus Problem woheading1 #o\  PCcXP# It is difficult to estimate the size of the virus problem, most companies do not have a central reporting mechanism, and reporting beyond that, at National or International level is rare. A review of the sources available and what they can tell us is appropriate. fheading2  P #:s2PkCXP# AntiVirus Solution Providers#yheading2 #o\  PCcXP# Naturally, every antivirus developer receives new virus samples and technical support calls that give a picture of the virus situation. Some provide regular summaries for informational purposes. Although useful indicators, these are not a suitable basis for a quantitative assessment of the problem: 1.XThey are not independent reports. The public has a right to be skeptical of reports produced by a company with an obvious interest in the outcome." 2.XCommon viruses and viruses that are easily dealt with will be underreported." The problem of underreporting of common viruses affects all victimdriven reporting mechanisms. If a a particular virus occurs frequently and is handled easily, it will not be thought worth reporting. A virus that is unusual and causes problems will automatically result in a report because help is required to resolve the problems. This makes it difficult to assess the actual prevelence of viruses in the real world. This, in turn, makes it difficult to assess the effectiveness of antivirus policies. Are we getting less reports of virus X because we are succeeding in wiping it out, or because it happens all the time, but it "only" takes 5 minutes to get rid of it? The difference in costs for a large organisation will be significant. fheading2  P #:s2PkCXP# The Wildlist2yheading2 #o\  PCcXP# This is a cooperative listing of viruses reported as being in the wild by 46 virus information  Xo professionals coordinated by Joe Wellsb QH F'11 ׍XPC Viruses in the Wild, Joe Wells (jwells@mail.vcnet.com)b. The basis for these reports are virus incidents where a sample was received, and positively identified by the participant. Rumors and unverified reports are excluded. The list should not be considered a list of "the most common viruses", the data indicates only "which" viruses are in the wild, but viruses reported by many (or most) participants are obviously widespread. The WildList is currently being used as the basis for in-the-wild virus testing of antivirus products by Virus Bulletin and the NCSA (National Computer Security Association.) Additionally, a virus collection based upon the WildList is being used in an effort to standardize the naming of common viruses. Thus, the list helps to make sure that antivirus software addresses the real threats. It is the most authoritative list of viruses inthewild worldwide, but it gives very little indication of the extent of the virus problem. I have been one of the WildList contributors for about two years now. You can contribute the the accuracy of the list by making reports to me. It does not matter if it is a common virus, in fact it is usually the more unusual or difficult viruses that get reported because they are more reliable. An actual sample is the most important, if there is any question about which virus was found, it can be checked. I do need to be able to confirm details, so a contact address is required but this is not included in my report and is kept confidential. Any other details about the size or cost of the incident are useful but not essential. fheading2- 311hhԌ P #:s2PkCXP# Independent Surveysyheading2 #o\  PCcXP# Various groups have published surveys of viruses and other security problems. We will look at two from the USA. 2heading3  Xv  Computer Crime and Security SurveyTheading3   XH The Computer Security Institute QH (11 ׍XSecond Annual Computer Crime and Security Survey, http://www.gocsi.com/preleas2.htm, (6 March 1997) in San Francisco surveyed 563 organisations on computer crime. 75% reported financial loss from various security breaches. The resulting quantifiable loss was over US$100M. 29% reported losses due to computer virus infestations totalling US$12M. This was greater than the reported loss from laptop theft, system penetration by outsiders or loss due to sabotage of data or networks. The message here is clear, viruses may not be your biggest threat, but they are not one you should forget about. 2heading3  Xb  Computer Virus Prevalence SurveyTheading3  The National Computer Security Association has published it's 1997 Virus Prevalence  X Survey QH +11 ׍X1997 Virus Prevalence Survey, NCSA (April 1997), ftp://ftp.ncsa.com/oub/httpdfiles/ncsavsrv.zip based on 300 sites with over 500 PC's per site. The questionaire was detailed and examined the experience and perceptions of the people responsible for managing virus problems. They showed that the virus problem is pervasive only two sites claimed never to have encountered a virus. V@heading4 The Virus Problem is Getting Worsedheading4 The infection rate was about 33 of 1000 machines infected in any given month. This is a threefold increase over 1996, when it was about 10 of 1000 PC's per month. 45% of the respondants thought that the virus problem had become worse this year. This was particularly pronounced for Word Macro viruses, with 50% thinking that the situation was worse. V@heading4 Macro Viruses are Growing Fastestdheading4 WM.Concept became the commonest virus in Fall 1995 and it continues to grow more rapidly than any previous virus, infecting 49% of survey sites. Four out of the "top ten" virus list are macro viruses and macro viruses accounted for 80% of all infections reported. V@heading4 One Third had a "Disaster"7dheading4 A computer virus disaster was defined as a virus encounter where a minimum of 25 PC's, diskettes, or files were infected by the same virus at approximately the same time. 33.89% of the sites reported a disaster. Recovery from a disaster took an average of 44 hours, 21.7 persondays of work and US$8366 in costs. V@heading4 Diskettes from Home Top Source of Infectiondheading4 Diskettes brought from someone's home were cited as the source for 42% of incidents. Via an email attachment and via a download were also commonly cited. =0 311hhԌV@heading4ٙImportant Conclusions^dheading4 The report concluded that, since viruses come to a site unexpectedly from the outside, sites with good protection will have about the same number of virus encounters as those with poor protection. However, good protection should limit the number of PC's, files or diskettes infected after it encounters a site. It is clear that increased full time protection, especially at the desktop is needed. fheading2  PH #:s2PkCXP# Hong Kong Surveysvyheading2 #o\  PCcXP# There is not a lot of information about the prevalence of viruses and people's response to them in Hong Kong. To start to rectify this situation, a series of smallscale surveys at local computer exhibitions has been undertaken. Surveys were performed at IT Asia'95, Software'95, Networks'96 and Computer'97. The surveys were carried out by an AntiVirus Solution Provider, but the respondants were chosen randomly at the exhibitions and the questionaire used is presented in Appendix A so that it can be seen to be free from bias. There were between one and two hundred respondants in each survey, covering a wide range of organisation size and business area. The great majority (80% or over in each survey) of respondants thought that it was important for their organisation to have an antivirus policy. However, significantly less (between 55% and 65%) knew that they had such a policy. The percentage that had a site license for antivirus software was even lower (39% to 54%). With the small sample sizes, there did not appear to be a significant temporal trend in these percentages. If we agree that, in order to manage a problem effectively, you must have an appropriate policy and be able to measure the problem, this is a disturbing result. It means that over a third of organisations have no poicy to apply, and over half have no means to measure the problem. Additionally, the capability of organisations to manage the virus problem effectively is not improving. The respondants were asked, "What viruses have YOU encountered in the last year?", the wording was designed to reduce hearsay and encourage accuracy by limiting reports to recent memory. Between 25% and 46% made some response, and there is a generally increasing trend. The names reported require some interpretation, the respondants seldom used the industrystandard CARO names for the viruses. Familiarity with the names reported by various antivirus software was used to categorise the results. For example, one AV software reports the name [Stone] for any one of a number of Stonedrelated viruses, reports of Stone and Stoned were therefore grouped together. Similarly, Die Hard and DH2. GenB and GenP are reported by one software for "any boot sector virus in a DOS boot sector or master boot record", respectively, so these were recorded as MBR / Boot Sector virus. The results, therefore, do not have the accuracy of the Wildlist, there is no sample that can be examined later to confirm whether it was exactly this or that variant. There are over one hundred Stoned variants, including the whole Monkey family, so what was reported as Stoned might be the same as what was, in other reports, Monkey. However, we can see some patterns. All the commonest responses at IT Asia 95 were boot sector viruses. Five out of the six commonest responses at Software 95 were boot sector viruses. Four out of the six commonest responses at Networks 96 were boot sector viruses, the other two were macro viruses. At Computer 97, four out of the commonest responses were boot sector viruses, and two were macro viruses. T/311hhԌThe message mirrors the studies in other countries: Boot sector viruses were the most common, but macro viruses are catching up fast. 2heading3  X  Macro Viruses in Hong KongTheading3  In the most recent survey at the Computer'97 Exhibition, it was decided to add specific questions to address the prevelence of macro viruses in the locally used versions of Word. As noted before, macro viruses cannot move completely freely between different language versions of Word and this could have important consequences for the spread of macro viruses in Hong Kong. The same four questions were asked for four Word environments, Traditional Chinese, Simplified Chinese, English and English with Chinese Environment software. At least one of the Word environments was used by 87% of the respondents, 22% used more than one and 5% used more than two of the four. Clearly, there is a large susceptible population and some opportunity for macro viruses to cross between the languages. A variety of Word versions were reported for all environments, with some respondents apparently giving the Office or Windows version, but Word 6 and 7 were most commonly used. Exchange of documents with other users was common too, ranging from 60% to 70%. When asked if they had encountered a macro virus in that environment, 32% of Traditional Chinese users, 50% of Simplified Chinese users, 34% of English users, and 40% of English with Chinese Environment software said yes. While the small sample size means that there is a wide error margin, it is clear that the incidence of macro viruses reported by users in this survey in the Chinese environments is just as high as in the English environment. This result is surprising as it contradicts the picture given by the unsolicited reports to support staff. Given that some of these people cannot correctly identify the version of Word they are running, these reports should be viewed with some skepticism but there is no reason to suppose that the inaccuracy of reporting is different for different environments. When categorized by the number of Word environments used, there is no indication that using more than one Word environment increases the likelihood of encountering a macro virus. The prevalence of macro viruses among users of a single Word environment is 36%, and the prevalence among users of two or more Word environments is 33%. Only 13 respondents claimed to have encountered a macro virus in any other environment. When asked to be specific, nine of those gave no answer, two gave answers that indicated they had misunderstood the question, and two reported Excel. Other macro viruses, including Excel macro viruses, are clearly currently a minor problem in Hong Kong. 'gheading1  WQ% #2PkCEP# The Costs of Viruseswoheading1 #o\  PCcXP# It is difficult to calculate the costs of viruses, there are so many things that can happen. By using some actual incidents, we can estimate the costs of using no antivirus protection, ineffective protection and effective protection. By using some actual incidents, we can estimate the costs of using no antivirus protection, ineffective protection and effective protection. The costs of antivirus software are based on undiscounted list prices for the first year. fheading2-311hhԌ P #:s2PkCXP# Case 1: A small Solicitor's Office, no antivirus software`yheading2 #o\  PCcXP# The office had 15 PC's and a server, with no internal support staff and no antivirus software. Users complained about being unable to save Word documents in selected directories (this is often the first symptom users notice when infected with a WordMacro virus). The office's dealer identified WordMacro/Concept and an antivirus technician was called in to clean all machines. This took three hours and over three hundred documents were disinfected. Subsequently, the office purchased and installed antivirus software. The calculable costs of that incident were three hours of antivirus technician at HK$500 per hour, HK$1500. Impossible to calculate is the time wasted by users as they found more and more problems when saving word documents until the problem was finally reported. Also, if they do not install antivirus software, reinfection will certainly occur, either from diskettes that were not available when the technician was present, or new infections brought in from outside contacts. We can estimate that, if antivirus software is not installed, the situation will reoccur once a month, on average. This makes the total cost annually HK$18000, or HK$1200 per machine, plus the lost working time. An efficient antivirus solution would cost about HK$8100 for the first year, saving almost HK$10000, plus working time. fheading2  P #:s2PkCXP# Case 2: A large Organisation, poorly designed antivirus protectionyheading2 #o\  PCcXP# The organisation has about 4500 PC's spread over the territory on many sites. They run a helpdesk and record approximately 50 virus incidents a week. These are mostly AntiCMOS and, increasingly, WordMacro/Concept. A lot of these incidents are reinfections: the PC is cleaned, and the next week, it has become infected again, probably, someone whose diskette was infected by the machine the first time has come back and used their diskette in the machine again. The existing antivirus protection was a combination of a custommade package, produced by their parent organisation, that could detect most of the viruses common in Hong Kong, but did not include an active component, and an old version of MSAV. When a virus was found by the check during bootup, the user would call the help desk and a technician would be dispatched to clean it. If it takes just one hour for the technician to reach the machine and clean it (probably an underestimate, considering travel in Hong Kong), then each incident is costing 2 man hours, the technician time and the time of the user who cannot use the PC. If wages are HK$100 per hour, this is HK$520000 annually, or HK$156 per machine. This is certainly a better situation than the first case, due to the use of cheaper inhouse technical support and because a virus could be on a machine for the maximum of a day before it was found during bootup. This prevents the buildup of a large number of infected documents and disks. However, within that day, there is still adequate opportunity for the virus to spread to diskettes that are missed by the technicians. This is demonstrated by the high number of reported reinfections. By moving to anti virus software that has active protection, the virus can be detected the first time a user accesses the diskette or file, the virus can be disinfected automatically or with a minimal amount of user interaction, and the cost in working time is, perhaps, a 5 minute call to the help desk to report the incident. By catching the virus when it first reaches the PC, it is prevented from spreading to other diskettes or files so the chance of reinfection is minimised, and the total number of virus incidents also falls. With these factors combined, the cost of dealing with viruses falls dramatically. If the incidents drop by 50% after the introduction of active antivirus protection, then the annual costs of the incidents is HK$21667. The cost of the new antivirus software is about HK$214000 for the first year,=0311hh for a total of about HK$236000, or HK$52 per machine. The saving is over a quarter of a million. fheading2  P #:s2PkCXP# Efficient Protection(yheading2 #o\  PCcXP# So, for efficient protection, we require active detection. That is, files and diskettes are scanned when they are used. This means using a TSR in DOS, and a VxD (Virtual Device Driver) in Windows 3.1 and 95, and a VDD in Windows NT. We also need nearautomatic handling of routine incidents, sending out support staff is costly. Finally, users need simple instructions on what to do when an incident occurs, who to report to and what to tell whoever passed them the infected object. 'gheading1  W #2PkCEP# Conclusionswoheading1 #o\  PCcXP# The virus problem has never been a major, worldwide disaster, but it is causing small disasters and general problems continuously. The problem is not going to disappear, it is going to get worse as complex programming tasks become simpler and the Internet continues to make global communications more efficient. Our task is to reduce the costs of viruses by efficient protection methods and user education. 'gheading1  WU #2PkCEP# Referencesiwoheading1 #o\  PCcXP# _  L.311hh 'gheading1  W #2PkCEP# Appendix A: Survey Detailswoheading1 #o\  PCcXP# The surveys were performed by the Marketing Department of Yui Kee Co. Ltd. at the following exhibitions: XIT Asia'95 Exhibition, September 1995." XSoftware'95 Exhibition, November 1995." XNetworks'96 Exhibition, July 1996." XHong Kong Computer'97 Exhibition, May 1997." The survey questionaire from the HK Computer 97 Exhibition is presented in full here, but many of the answers are both not relevant to this paper and sensitive business information. Therefore, only results from selected questions are presented. The questionaires for the earlier surveys were substantially similar, changes in the relevant questions are noted in the results section. 311hh  X  6&6&StandardINTX]HPLASIIN.PRSXp\ &6&6Standard^hX [_N bD #eI*f9 xC"X#M.AGD.0043.E10[ hXhh  XX HhS Research Survey Questionaire ă The data collected by this survey will be used for statistical purposes only. Respondants will not be identified individually. #eJ\  PCCP#  aEa Xx4҇X` hp x (#%'0*,.8135@8:501 [ ] 4.<< a)tHow many PCs and Macintosh computers in your organizationƴ << PCs0 [ ] "<10 [ ] ,1050 [ ]751100 [ ]00D101500 [ ]ppS>501 [ ] << Macs0 [ ] "<10 [ ] ,1050 [ ]751100 [ ]00D101500 [ ]ppS>501 [ ] << b)tWhat type and how many network and file servers do you use in your organization?ƴ << Win NT0 [ ] "<10 [ ] ,1050 [ ]751100 [ ]00D101500 [ ]ppS>501 [ ] << Novell Netware0 [ ] "<10 [ ] ,1050 [ ]751100 [ ]00D101500 [ ]ppS>501 [ ] << UNIX0 [ ] "<10 [ ] ,1050 [ ]751100 [ ]00D101500 [ ]ppS>501 [ ] << Others, please specify "<10 [ ] ,1050 [ ]751100 [ ]00D101500 [ ]ppS>501 [ ] 5.<< What is your organization's business area? X< p0p x (#%'0*,.8135@8:2000 [ ] Don't know [ ] 13.99ga);ttlHow much, per computer, per year, would you be willing to spend on personal anti-virus software package? HK$x4t 99gttl0 [ ]D D r150 [ ]<"<"y51100 [ ]$$101500 [ ]D'D'5011000 [ ]T*T*10012000 [ ]-->2000 [ ] Don't know [ ]x49 99gb);ttlHow much, per computer, per year, would you be willing to spend on personal desktop encryption software package? HK$x4t 99gttl0 [ ]D D r150 [ ]<"<"y51100 [ ]$$101500 [ ]D'D'5011000 [ ]T*T*10012000 [ ]-->2000 [ ] Don't know [ ]x49 1!#""hh"/a/1Ԍ14.uu How important do you think a local support and update service is for anti-virus software and data security software?ƴu uu Unimportant [ ]xxNot very important [ ] 0Very important [ ]PPAEssential [ ]  aE 15.uu What viruses have YOU encountered in the last year? ___________________________________________________________________________________________  aE0  Macro Viruses The following section investigates the potential for the spread of macro viruses under different locally used environments. Please answer these questions for each of the environments: uu [A]Microsoft Word, Traditional Chinese uu [B]Microsoft Word, Simplified Chinese uu [C]Microsoft Word, English uu [D]Microsoft Word, English with Chinese Environment software (eg. Twin Bridge) l9tD <"$D'T*,-\/4135<8:5 [ ]x49 27.99g;ttlHas your organization considered to build a private network to form an Intranet or does your organization already have an Intranet?x4t 99gttlYes [ ]D D rNo [ ]x49 99gttlif YES: 99ga.XttlHow is the Intranet protected?x4t 99gttlWe use leased lines$$D'D'))p,p,--[ ] 99gttlWe have firewalls installed$$D'D'))p,p,--[ ] 99gttlWe use Virtual Private Network (VPN) software to protect the intranet--[ ] 99gttlWe have firewalls and a VPND'D'))p,p,--[ ] 99gttlNo protection<"<"y$$D'D'))p,p,--[ ] 28.99gDo your organizations system administrators use encrypted connection while maintaining your UNIX systems to protect against password sniffing and other active attacks?x49 99gYes [ ]D D rNo [ ]<"<"yDon't know [ ] 29.99gHas your organization been under attack by hackers from the Internet?x49 99gYes [ ]D D rNo [ ]<"<"yDon't know [ ]  aE!  Thank you very much for your time ! 1!#""hhPe11 _Ո &6&6Standard6&6&Standard+XXhh fHeading2  P #:s2PkCXP# Results0.yHeading2 #eJ\  PCCP# The Exhibition titles are abbreviated: ITA95XIT Asia'95 Exhibitionj$ SW95XSoftware'95 Exhibitionj$ NW96XNetworks'96 Exhibitionj$ HKC97XHK Computer'97 Exhibitionj$ The number of respondants in each exhibition was: c Addxu%v22""""""" aXddx "$c ` ^  " $Exhibitioni "Respondants^  .  " ITA95 $143. . i " SW95 $121. .  " NW96 $182. >  " oHKC971$143>    2Heading3  aE}  Organisation Information2THeading3  How Many Staff Y aXddx "$ Xddx6"$$$$Y >   ^  "{s"JITA95s". SW95s"?NW96s"PHKC97^  . "<10$" 23$3o17$E|9$U33. . s" 1050$" 29$3o36$D961$U48. . " 51100$" 21$3o23$D923$U10. . " 101500+$" 25+$3o30+$D943+$U22. . " >501Y$" 36Y$3o13Y$D941Y$U30. >  +" tUnknown$# 9$42$E|5$VMԩ>  Y How Many Personal Computers (NB: This question was subdivided into PC's and Macs for NW96 and HKC97) r Xddx6"$$$$ Xddx6hhhh"$$$$$$r ">   .  Y""{ "JITA95 ". SW95 "CNW96"[HKC97.  N "{N$$+ ԃN$5ԃN">PC"JMac"V]PC"bMacN . "Z03 $# ԩ3 $4ԩ3 $@73 $J1293 $W133 $b100. . "<10a!$" 35a!$3o25a!$?18a!$K?33a!$W49a!$c29. . 3 " 1050"$" 45"$3o45"$?76"$K?10"$W36"$dB9. . a!" 51100#$" 14#$3o22#$?31#$L1#$X9#$dB1. . "" 101500$$" 23$$3o20$$?31$$L4$$W19$$dB2. . #" >501&$" 18&$47&$?19&$L4&$W17&$dB2. >  $" tUnknownW'$# 8W'$42W'$@1ԩW'$L1W'$XԩW'$dYԩ>  &W'444hhԌ How Many Servers (NB: This question was not asked for ITA95 and SW95) Xddx6hhhh"$$$$$$ XddxL6"$$$$$$$$ (>   .  &("{") NW96z"RHKC97$.  N L$"{"#Win NT"# Netware".7 Unix"9Other"BWin NT"LoNetware"WUnix"aiOtherN . z"Z0$t100$% 66$., 122$8175$C'89$N89$W115$ah139. . "<10$$63$$% 84$$/o 42$$:3$$C'42$$N38$$X17$$c4. . " 1050R$17R$% 22R$/o 15R$:2R$Dj8R$N12R$Y"8R$c0. . $" 51100$1$& 5$0 1$:0$Dj2$OF2$Y"3$c0. . R" 101500 $1 $& 2 $0 1 $:1 $Dj1 $OF1 $Y"0 $c0. . " >501 $0 $& 3 $0 1 $:1 $Dj1 $OF1 $Y"0 $c0. >  " tUnknown $ԩ $& ԩ $0 ԩ $:ԩ $Dԩ $O]ԩ $Y9ԩ $cԩ>    2table#NxzPC P#Otable#eJ\  PCCP# Business Area? | XddxL6"$$$$$$$$ Xddx hh"$$$$| > .  ":"& ITA95:"3FSW95:"?NW96:"KHKC97. .  "%Banking/Financeh$) 7h$514h$Ak14h$N7. . :" Distributor/Dealer$) 6$511$Ak18$M11. . h"Trading$(a 24$518$Ak21$M22. . " Consultancy/Servicing$) 7$510$Ak30$M15. . "Publishing $) 2 $6F2 $B6 $M11. . "Airline/Shipping/TransportN$(a 12N$6F2N$B6N$N7. .  "aManufacturing|$(a 23|$516|$Ak29|$M18. . N" 5Construction/Architecture$(a 10$6F5$Ak10$N4. . |"Government$(a 11$6F3$B5$N9. . "Education$(a 14$6F4$B4$N2. . "/Hospitality (Hotel/Travel)4$) 34$6F34$B44$N5. . "Retailerb$) 5b$6F3b$B6b$N7. . 4" ?Other, specified$(a 10$527$Ak24$M17. >  b"Yblank$) 9$6F3$B0$N8>   2Heading3  aE!  Antivirus Information]THeading3  Do you think that it is important for your organisation to have an anti-virus policy? h Xddx hh"$$$$ Xddx #hh"$$$$h >  . ":$"& ITA95:$"3FSW95:$"?NW96:$"KHKC97. .  #"Yesh%$' 129h%$4100h%$@(166h%$L114. . :$"No&$) 3&$518&$B9&$M16. >  h%"Don't Know'$(a 11'$6F3'$B6'$M13>  &Does your organisation have an antivirus/information security policy? h Xddx #hh"$$$$ !Xddxz(hh"$$$$h >  . &")"& ITA95)"3FSW95)"?NW96)"KHKC97. . z("Yes*$(a 87*$567*$@(118*$M90. . )"No,$(a 39,$541,$Ak48,$M37. >  *"Don't KnowB-$(a 17B-$513B-$Ak15B-$M16>  ,Does your organisation have a site license for antivirus software? h !Xddxz(hh"$$$$ AXddx-hh"$$$$h >  . ,"/"& ITA95/"3FSW95/"?NW96/"KHKC97. . -"YesD0$(a 72D0$547D0$Ak98D0$M64. . /"Nor1$(a 39r1$544r1$Ak48r1$M54. >  D0"Don't Know2$(a 322$5302$Ak352$M25>  r1 V3444hhԌ15. What viruses have YOU encountered in the last year? Y AXddx-hh"$$$$ aXddxL"$Y >   r1" $Exhibition"made some /response  . L" ITA95~$Y41. . P" SW95$Y43. . ~" NW96$Y46. >  " oHKC97$Y67>   The commonest responses at ITA95 were: J aXddxL"$ Xddx  / $J >  .  Stoned / Stone8 $6I20. .   Michelangelof $73. . 8  Monkey $73. >  f  AntiCMOS$72>   The commonest responses at SW95 were: J Xddx  / $ Xddxx / $J >  .   Stoned / Stone$6I28. . x Michelangelo$6I13. .  AntiCMOS$74. .  Die Hard0$73. .  Monkey^$72. >  0 Form$72>  ^The commonest responses at NW96 were: J Xddxx / $ XddxB / $J >  . ^ AntiCMOSp$6I19. . B Word Macro$77. . p Stoned / Stone$77. .  Concept$73. .  Michelangelo($73. >   MBR / Boot Sector Virusf$73>  ( The commonest responses at HKC97 were: J XddxB / $ Xddx / "J >  . ( Forget "2123. .  AntiCMOS""2114. .   Stoned / Stone<#"3S9. . " Word Macroj$"3S8. . <# Concept%"3S4. . j$ Monkey&"3S4. . % Die Hard / DH2'"3S3. >  & Michelangelo2)"3S3>  '2)444hh 2Heading3  aE  Macro Viruses at HKC97vTHeading3  The questions about Word and Macro viruses were only added for the last survey. 2table#NxzPC P# Y Xddx / " XddxVJ """"Y >     ' B"'3 Traditional ChineseB":Simplified ChineseB"N(EnglishB"X-English with Chinese X Environment Software P  16. Use?Z"/7 56Z"B10Z"P65Z"aa30P P   18. Exchange Documents"/7 33"C7"P41"aa18P `  Z 19. Encountered a Macro Virus "/7 18 "C5 "P22 "aa12`  wtable#eJ\  PCCP# Users of Multiple Language Environments h XddxVJ """" !XddxV """""h `  ^  "Languages ",w 1 "EG2 "]3 "u 4^  . V " Number of Users "+U 98 "D%21 "]3 "u 3. >  " }% of All Word Users "*# 78.4 "C16.8 "\2.4 "t 2.4>    17. Word Versions Reported 2table#NxzPC P#` !XddxV """"" AXddxQE """""""""""""" $>       $ " . 3.1"(@ 4". 4.2"54.3"=15"D,6"J6.1"R"7 "X93 "_95 "f96 "m97 "t NT"{"blank  P  Traditional Chinese"!g 1"(@ 1"/; 1"6\"=16"C10"KM"Q15 "YC "`3 "g1 "n2 "u/!"|"16P P  Simplified Chinese2"! 2"(f 2"/a 2"6622"=112"D,12"KM2"R"2 2"YC 2"`> 2"g1 2"n4 2"u/!2"}!#3P P  English"!g 1"(@ 1"/a "6\"=11"C21"K'1"Q16 "Y1 "`5 "g3 "n4 "u !1"|"14P (  2 English with Chinese Environment Software"! "(@ 2"/a "6\"=11"D,2"KM"Q12 "YC "`4 "g1 "n4 "u/!"}!#8(  table`#eJ\  PCCP#