| This document describes the process of deriving the AVERT Risk Assessment (ARA) with an explanation of each risk level and suggestions for actions to be taken. In addition, there are detailed examples of well-known viruses to highlight each of the risk levels. | ||||||||||||||||||||||
| Goals and Benefits of the Risk Assessment: Today 50,000 different viruses, variants and trojans are known to exist. This count increases by approximately 1000 per month. | ||||||||||||||||||||||
| The AVERT Risk Assessment (ARA) is the first early warning system created by virus research experts. The goal of this system is to help network administrators assess the risk associated with new virus outbreaks. The implementation of the ARA system is done by AVERT (Anti-Virus Emergency Response Team), a team of virus security experts at Network Associates. This team assesses each new virus discovered as high-, medium-, or low-risk based on criteria described below. In addition, it also decides if a virus should be placed on the AVERT Watch List. | ||||||||||||||||||||||
| The virus risk assessment for each new virus will be posted to the Virus Information Library (VIL) on Network Associates’ Web site at http://vil.mcafee.com. It will also be included in Virus Alerts and Advisories issued by AVERT (http://vil.mcafee.com), to be used as a gauge to determine the best cost-effective response to new virus threats. | ||||||||||||||||||||||
| Criteria for Assessing the Risk: Three criteria are used by Network Associates to assess the risk of a virus: prevalence, danger of payload, and commonality of infection vehicle (the environment). | ||||||||||||||||||||||
| Prevalence is measured by reports from the wild. Infections reported directly to Network Associates are accepted as firm cases. But reports made by other Anti-Virus vendors are also taken into consideration. For virus alerts, prevalence is the most important criterion. A real security threat exists only if a virus is found in the field. There are four levels of prevalence: | ||||||||||||||||||||||
| ||||||||||||||||||||||
| Danger of payload is derived by the magnitude of the potential damage should an infection occur, including loss of revenue or data. Thus, the payload is very important when associating a risk to a virus that has already been found in the field. The danger of payload is categorized as follows: | ||||||||||||||||||||||
| ||||||||||||||||||||||
| The commonality of the infection vehicle reflects the number of computer users who use the program or system that the virus needs to infect. Not only is the system’s distribution important but its everyday use gives the virus means to infect. The following table describes the commonality of known target platforms. | ||||||||||||||||||||||
| ||||||||||||||||||||||
| Description of Risk Levels: To achieve a system that is easy to administer and understand, AVERT offers three risk levels: high-, medium-, and low-risk. To optimize the AVERT Risk Assessment as an early warning system, an additional level was added: Medium-On Watch. | ||||||||||||||||||||||
| A virus that has not been reported in the wild and is considered unlikely to be found in the wild in the future has a low risk. Even if such a virus includes a Very Serious or Unforeseeable Damage payload, its risk is still low. | ||||||||||||||||||||||
| There are exceptions as there may be circumstances surrounding certain viruses that might give them a medium rating. One exception might be something AVERT considers to be part of the virus" media profile. If a virus is in the news, the public’s curiosity may cause events to follow. Thus because of the curiosity AVERT might decide to give a low risk virus a medium risk assessment. | ||||||||||||||||||||||
| If a virus is found in the field and if it is using a Less Common infection mechanism it is assigned a medium risk. If its prevalence stays low and its payload is not serious, it can be downgraded to a low risk. Similarly, it can be upgraded to a high risk if the virus is getting more and more widespread. | ||||||||||||||||||||||
| To be assigned a high-risk rating, it is necessary that a virus be reported often or very often in the field. Additionally, the payload must have the ability to cause at least some Serious Damage. If it causes Very Serious or Unforeseeable Damage, high risk might be accorded even with a lower level of prevalence. | ||||||||||||||||||||||
| The status Medium-On Watch is for viruses that are medium-risk due to their currently low prevalence, but might become more prevalent. This status is especially important for viruses that use fast infection mechanisms like email. | ||||||||||||||||||||||
| Examples of Risk Assessments: Parity.b: This boot virus has a medium risk. It is quite common and can be found all over the world. The danger of payload is medium (if there is no key pressed for a long time the virus displays a message and freezes the machine). As a pure boot virus it uses an infection vehicle which loses more and more importance. Different factors steadily decrease the risk of this virus. If the current trends of modern IT infrastructure to store and transfer data (file servers, email, ftp) as well as operating systems architecture (it cannot get active on NT) continues Parity.b will become very rare in modern IT environments and change to be only a low risk. | ||||||||||||||||||||||
| XM/Compat: This macro virus was assigned a high risk by AVERT initially. It was often reported in the wild and its payload caused very serious damage by manipulating cell values in spreadsheets. Back then Excel 5 and 7 were also highly used platforms. | ||||||||||||||||||||||
| Win95/CIH: CIH is one of the most known and feared viruses since its first appearance in the summer of 1998. Definitely, it has a high risk. Many infections were reported and it was widespread. Especially in the beginning, it was very widespread through pirated software and Internet downloads. If the virus‘ payload triggers, it erases data on the hard disk and tries to overwrite the machine’s Flash-BIOS potentially leaving the machine unusable. This payload is considered very serious. Running on Windows 95/98, the virus infects a very common platform. CIH’s was one of the first functional Windows viruses, which is a special contributing factor. | ||||||||||||||||||||||
| W32/Ska (Happy99): This worm attaches itself to outgoing email. To do this it modifies the file WSOCK32.DLL. Thus its infection vehicle is Windows machines. (On NT, this normally fails.) It has achieved a very high prevalence. Its payload (displays a fireworks graphic when the attachment HAPPY99.EXE is run) causes little damage but makes users re-send the file to their friends. But because of the payload, the worm is assessed a medium risk rather than high. | ||||||||||||||||||||||
| W97M/Melissa.a: This macro virus infects Word 97 documents and sends itself by email to the fifty recipients in each Outlook address book. Although its payload does little damage (the virus may insert some text) it was assigned a high risk rating by the AVERT because of its infection technique. Melissa caused damage indirectly by overloading mail servers which then had to be shut down. | ||||||||||||||||||||||
| W32/ExploreZip.worm: This is a very dangerous worm spreading by email and through in-house network shares. Its specific factors made its already dangerous infection technique even more successful. It replies to incoming mails and attaches itself as ZIPPED_FILES.EXE. The mail text makes the user believe this would be a self-extracting ZIP archive. It also has a very serious payload (deleting file types like Word documents, Excel workbooks, PowerPoint presentations and source code files on all available drives). All this together leads to a high risk rating. | ||||||||||||||||||||||
| W97M/JulyKill.a: This Word 97 macro virus tries to delete all files on drive C: by using the DELTREE command. However, it only runs on far-east versions of Word 97 if Service Release 1 (SR-1) has not been applied. It was not reported in the wild, thus AVERT assigned it to the low risk category. | ||||||||||||||||||||||
| Recommended Actions: AVERT recommends the following actions to correspond with the ARA. These actions are intended to be generic. Modifications should be made for a company’s specific needs. | ||||||||||||||||||||||
| In the majority of cases for low risk viruses, no specific action is needed. The regular weekly update of virus definitions is sufficient. | ||||||||||||||||||||||
| For a medium risk virus, IT groups should update infrastructure security products like Internet gateways and mail and file servers as soon as possible. ExtraDATs provided by Network Associates can be used to update such machines very quickly. It is also recommended that updates be done to VirusScan in security sensitive areas of the company, as warranted by the description of the alert. If the virus detection is not in the next weekly DAT file set, a company-wide distribution of the ExtraDAT is recommended. AVERT will note in all virus descriptions the DAT file set required for detection of the virus. | ||||||||||||||||||||||
| If a virus is rated a high risk AVERT strongly recommends updating VirusScan on all machines in the company. Highest priority should be given to updating the IT infrastructure mentioned above. An emergency plan should help to coordinate communication between the different departments and define responsibilities. | ||||||||||||||||||||||
| When AVERT assesses a Medium-On Watch status to a virus, the same measures should be taken as for a medium risk assessment. Preparations should be made for the possibility of the virus attaining high risk. | ||||||||||||||||||||||
| AVERT has provided this outline of its Risk Assessment for our customers’ benefit. We review all of our virus research practices and recommendations regularly. In doing so, we can make the necessary changes to provide our customers with the best service we possibly can. As of this date the Risk Assessment program and documentation is a living component of the AVERT Virus Research and Support practice. It will be updated from time to time as we evolve our research to provide the best solutions possible. | ||||||||||||||||||||||
