By Julian Matthews
November 03, 2000
Malaysian Government Site Spreads Anti-Mahathir Virus
KUALA LUMPUR, MALAYSIA, NOV 03 2000, Newsbytes
Malaysia's national budget speech, available online at a government Web site, is infected with a virus that may overwrite Microsoft Word documents and add in rude comments against Prime Minister Mahathir Mohamad.
Local virus expert Looi Hoong Thoong confirmed that the document at the official Finance Ministry Web site is infected by the Hampehs virus, believed to be of local origin.
"This is probably a made-in-Malaysia macro virus. The virus will overwrite Microsoft Word document files and add in very rude comments in .doc files against the Prime Minister," he said.
The infected document was posted online last Friday to coincide with a speech read by the Finance Minister Daim Zainuddin in parliament. Ironically, the speech was mainly directed at improving PC literacy among Malaysians.
At press time, the infected document was still downloadable at http://www.treasury.gov.my/englishversion/index.html . Only the English version of the speech is infected and is part of three Word files contained in an executable file txtbud2001.exe. It could not be immediately ascertained how many users had already downloaded the file and how the file was infected.
Code within the document directs users to a Web site, hampehs.cjb.net, in which a "Mr DingDang" claims authorship for the virus.
Written in colloquial Malay, the virus writer said he created the virus, among other reasons, because he was "unsatisfied with the present government" and wanted to express contempt for the prime minister.
Mahathir has been at the receiving end of virulent criticism by various Web sites ever since the sudden sacking of deputy Prime Minister Anwar Ibrahim in September 1998, and his subsequent arrest and conviction on corruption and sodomy offenses.
DingDang claims he created the "harmless" virus in a week in October 1999 while learning the Visual Basic language and that it is the same one listed in both the McAfee Anti-virus site and Symantec Antivirus Research Center site as W97M.Shepmah, documented since January this year.
The virus is described as "low-risk". If executed on Feb. 25, the virus has a payload added to autoexec.bat file that renames "Program Files" and "Windows" folders to "tempt1" and "tempt2". It will also display a dialog box, which cycles through seven different messages from the virus writer that contains the anti-Mahathir commentary.
Looi, the creator of anti-virus program V-Buster, believes the virus was in the Web server or on the computer on which the speech was typed a long time ago and probably "passed from department to department."
He counts various government departments and agencies among his clients that have complained of such virus attacks.
"One government agency recently brought their server to me for cleaning and I found almost every file was infected. There were between 30 to 40 different viruses," he said.
Penang-based Looi reckons that although the agency used a well known anti-virus program it was ineffective, as most US-based anti-virus programs may miss Malaysian-made viruses.
He vouches that V-Buster can detect and inactivate the Hampehs virus, however parts of documents with the rude comments will have to be manually removed from each Microsoft Word document.
Looi said Malaysian-made viruses have been around for a long time although this may be the first one written with political motivations. "Many virus writers leave no signature and their origins cannot be verified. The first Malaysian-made virus may have been Counter Warfare, a destructive boot virus, which appeared in 1990."
Others examples go by the names Fellowship, Black Monday, FSKSM, BUSM, Malaysia98 and possibly, Ada.
Looi believes the viruses are created by teen-agers or college students, mainly for the challenge of seeing how far they will spread. They are usually written with virus generator programs easily downloaded from the Net.
He said the first Malaysian macro virus was probably FSKSM, written by a student from University of Malaya, the leading university in the country. "When you open an infected file it will ask 'Are you a Faculty of Science student'. It opens if you type 'Yes' but causes the computer to hang if you type 'No'. This virus caused more than 60 percent of the computers in the university to shut down at one stage," he said.
Virus writing in Asia may be on the rise with growing Internet use and rising software literacy rates. Two high-profile incidents that caused global impact were the CIH, or Chernobyl virus created by Chen Ing-hau, a former computer engineering student in Taiwan, and the "I Love You" virus created by Onel De Guzman, a former computer student from the Philippines.
Published in Newsbytes