Malaysian Government Site Spreads Anti-Mahathir Virus

[William Knowles <wk () C4I ORG>]

http://www.computeruser.com/news/00/11/07/news19.html

By Julian Matthews
November 07, 2000

Malaysia's national budget speech, available online at a government
Web site, is infected with a virus that may overwrite Microsoft Word
documents and add in rude comments against Prime Minister Mahathir
Mohamad.

Local virus expert Looi Hoong Thoong confirmed that the document at
the official Finance Ministry Web site is infected by the Hampehs
virus, believed to be of local origin.

"This is probably a made-in-Malaysia macro virus. The virus will
overwrite Microsoft Word document files and add in very rude comments
in .doc files against the Prime Minister," he said.

The infected document was posted online last Friday to coincide with a
speech read by the Finance Minister Daim Zainuddin in parliament.
Ironically, the speech was mainly directed at improving PC literacy
among Malaysians.

At press time, the infected document was still downloadable at
http://www.treasury.gov.my/englishversion/index.html . Only the
English version of the speech is infected and is part of three Word
files contained in an executable file txtbud2001.exe. It could not be
immediately ascertained how many users had already downloaded the file
and how the file was infected.

Code within the document directs users to a Web site, hampehs.cjb.net,
in which a "Mr DingDang" claims authorship for the virus.

Written in colloquial Malay, the virus writer said he created the
virus, among other reasons, because he was "unsatisfied with the
present government" and wanted to express contempt for the prime
minister.

Mahathir has been at the receiving end of virulent criticism by
various Web sites ever since the sudden sacking of deputy Prime
Minister Anwar Ibrahim in September 1998, and his subsequent arrest
and conviction on corruption and sodomy offenses.

DingDang claims he created the "harmless" virus in a week in October
1999 while learning the Visual Basic language and that it is the same
one listed in both the McAfee Anti-virus site and Symantec Antivirus
Research Center site as W97M.Shepmah, documented since January this
year.

The virus is described as "low-risk". If executed on Feb. 25, the
virus has a payload added to autoexec.bat file that renames "Program
Files" and "Windows" folders to "tempt1" and "tempt2". It will also
display a dialog box, which cycles through seven different messages
from the virus writer that contains the anti-Mahathir commentary.

Looi, the creator of anti-virus program V-Buster, believes the virus
was in the Web server or on the computer on which the speech was typed
a long time ago and probably "passed from department to department."

He counts various government departments and agencies among his
clients that have complained of such virus attacks.

"One government agency recently brought their server to me for
cleaning and I found almost every file was infected. There were
between 30 to 40 different viruses," he said.

Penang-based Looi reckons that although the agency used a well known
anti-virus program it was ineffective, as most US-based anti-virus
programs may miss Malaysian-made viruses.

He vouches that V-Buster can detect and inactivate the Hampehs virus,
however parts of documents with the rude comments will have to be
manually removed from each Microsoft Word document.

Looi said Malaysian-made viruses have been around for a long time
although this may be the first one written with political motivations.
"Many virus writers leave no signature and their origins cannot be
verified. The first Malaysian-made virus may have been Counter
Warfare, a destructive boot virus, which appeared in 1990."

Others examples go by the names Fellowship, Black Monday, FSKSM, BUSM,
Malaysia98 and possibly, Ada.

Looi believes the viruses are created by teen-agers or college
students, mainly for the challenge of seeing how far they will spread.
They are usually written with virus generator programs easily
downloaded from the Net.

He said the first Malaysian macro virus was probably FSKSM, written by
a student from University of Malaya, the leading university in the
country. "When you open an infected file it will ask 'Are you a
Faculty of Science student'. It opens if you type 'Yes' but causes the
computer to hang if you type 'No'. This virus caused more than 60
percent of the computers in the university to shut down at one stage,"
he said.

Virus writing in Asia may be on the rise with growing Internet use and
rising software literacy rates. Two high-profile incidents that caused
global impact were the CIH, or Chernobyl virus created by Chen
Ing-hau, a former computer engineering student in Taiwan, and the "I
Love You" virus created by Onel De Guzman, a former computer student
from the Philippines.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".