Allan George Dyer
For viruses, as in so many other areas, Hong Kong provides a unique mixture of cultures and a fast-moving environment.
Locally Common Viruses
Most globally common viruses have been reported in Hong Kong, but the commonest viruses appear to have originated locally. Listed in no particular order:
- AntiCMOS
- Mange-tout.1099
- Jerusalem.Vtech variants: 2513, 2358, 2886, 2880
- Mange-tout.1091
- Ming.491
- Shutdown.644
- Jerusalem.J-virus
- Amoeba using CLME (no CARO name yet)
Also, cases of B1, Die_Hard and Sampo have been reported recently.
Quite a few of this list were written in Hong Kong (Jerusalem.Vtech, Ming, Shutdown, Jerusalem.J-virus and Amoeba using CLME), apparently by an active virus writing group that is still recruiting new members. Messages in local BBS's indicate that the group has at least one private BBS for internal communication (though such hints must be treated with due caution). The viruses produced towards the end of 1993 were very simple (including an overwriting file virus), but current releases show polymorphism. Typically, the group distributes new viruses by infecting other software (McAfee Scan and Microsoft mouse drivers have been targets) and uploading it to many BBS's, claiming that it is the latest version, or, in one case, locally written software to detect the Jerusalem.Vtech viruses.
The motivation of this group is unclear, they have not made big announcements of their objectives, but they do not appear very secretive either, the viruses state their handles. Some messages on BBS's from them have been directed at anti-virus workers, indicating they see it as a competition, but the viruses are frequently intentionally damaging, and the distribution method has been chosen to cause maximum havoc.
International Connections
Some of the other viruses listed might have originated in China, such as Mange_tout and AntiCMOS, certainly they were detected very early in companies with connections in China, and have since been shown to be common there. A recent visit to China clearly showed that there are viruses there that have never been seen by Western virus researchers.
Hong Kong's position as the gateway to China and a major trading centre thus give it some importance in the spread of viruses internationally. Large numbers of pre-formatted diskettes are exported from China, motherboards, add-in cards and machines may be assembled or packaged (with driver diskettes) here.
Some examples will help to illustrate this:
The Nice virus, written in Hong Kong (an early offering by the writer of Ming and Amoeba using CLME), was first found circulating in Hong Kong BBSs in January, 1994. Two weeks later a minor variant was found in Lapland and traced to a set of video driver diskettes that had been duplicated in Hong Kong from an infected master diskette.
The Mange-tout.1099 virus was first found in a Hong Kong company with a factory in China in January, 1994. Other samples were collected in Hong Kong, initially from companies with Chinese connections, but it was clearly becoming common in the Territory. At the end of August, 1994, it was detected on VGA display driver diskettes from Hong Kong in Norway. By looking at recent samples and anti-virus programs from China, it is clear that Mange-tout.1099 is well-known there.
These viruses are not particularly virulent (the Nice virus overwrites it's victim, so it is likely to get noticed fast), but they have achieved international distribution by infecting an exporter.
Chinese Language Viruses
Jerusalem.J-virus is interesting for another reason, it is a rare example of a virus that is intended to display text in Chinese. It contains bitmaps for two chinese characters, "Death God", though this fails to display on some hardware. There are a number of Chinese language shells that are frequently loaded on top of DOS that a virus could take advantage of to display messages in Chinese, it is interesting that none of the known viruses do this. This may be because the writers recognise the compatibility problems, these shells are often used intermittently because of their large memory requirements.
The Law
Near the beginning of 1992, the Hong Kong Computer Crimes Bill became law, representing one of the first of its kind in the rapidly developing Far East Region (see "Information Systems Security: legal aspects", Dr. Matthew K. O. Lee, Hong Kong Computer Journal, vol. 9 no. 11 p. 19-22). The law amends existing criminal law to introduce four new types of offence. For computer viruses, there are two key changes:
- The term "property" now includes any computer program or data held in any form and by any medium.
- Property damage now includes:
- causing a computer not to function normally;
- altering or erasing any program or data held in any form and by any medium;
- adding any program or data to the contents of a computer or any computer storage medium.
Importantly, recklessness may suffice as intention. So it would appear that writing a virus with no intention of distributing it is not an offence, and distributing a virus is an offence. Possessing a virus-infected diskette with the intention of using on someone's computer system might be an offence even if the accused was unaware of the virus at the relevant time (since recklessness is equated to intent). The maximum penalty for this offence is 10 years imprisonment. There are two particular defenses: the accused is not guilty if, at the relevant time:
- he believed he had been given consent to do the alleged activities
- he believed he would have been given consent, if the person entitled to give such consent knew all the relevant circumstances.
However, although the legal framework exists, there have been no prosecutions. The relevant sections of the Police, the Crime Prevention Bureau and Commercial Crime Bureau are concerned, but detailed studies of virus prevalence and damage have not been undertaken.
The Future
Articles about Hong Kong are incomplete without some mention of 1997 and the handback of the Territory to China, but in the area of viruses, it seems to have little relevance. The locally written viruses do not appear to have a politcal message and the legal structure will remain the same under the "one country, two systems" policy.
Far more important will be the ongoing rapid economic growth throughout the region, with an associated explosion in all types of communication. Great efforts in user education will be required to prevent a commensurate increase in virus problems.