Computer Virus Created in Nepal 18 Years Ago Spread Fear at Home and Abroad
कात्तिक १०, २०८२ १७:३
Kathmandu: The ‘Sujin virus’ holds a unique place in Nepal’s cyber history. Although its real name is ‘Worm.VBS.Small.n’, it is more widely known as the ‘sujin.com.np virus’ or ‘Sujin virus’ because it used the domain sujin.com.np to show its effect.
This virus spread panic across various offices and computer labs, from cyber cafés that charged for internet use to shops selling storage devices. The incident became an important lesson for Nepali users about cybersecurity, system configuration, and how viruses spread through removable devices like pen drives. Starting from Kathmandu and reaching the heights of the Himalayas, the virus even drew international attention.
In 2007, Alexander Gostev, a senior virus analyst at the antivirus company Kaspersky Lab (now the company’s Chief Technology Expert), visited Nepal. During his trip, he bought a compact flash memory card for his camera from a photography shop in Thamel.
After a three-week trek in the Himalayas, he returned to Moscow, Russia, and tried to transfer the photos from his camera to his computer. At that time, he found two hidden files inside the card, ‘autorun.inf’ and ‘VirusRemoval.vbs’. These confirmed that the Kingston memory card was infected with ‘Worm.VBS.Small.n’.
When Gostev analyzed the virus code, he discovered that it redirected the Internet Explorer homepage to sujin.com.np. The ‘.np’ domain confirmed its origin in Nepal.
Gostev suspected that the virus was not present during production but was transmitted after the card was imported into Nepal. He wrote in his blog, “It is unlikely that Kingston itself was involved. The virus may have infected the card after it was imported to Nepal, possibly from the shop where I bought it. Or the card may be a fake, manufactured in a factory in Nepal.”
The virus was written in VBScript, a client-side scripting language developed by Microsoft. It could modify a computer’s registry configuration.
It spread quickly through removable devices such as pen drives and memory cards. Once these infected devices were connected to a computer, the ‘autorun.inf’ file would automatically execute a virus script called ‘VirusRemoval.vbs’.
After entering a computer, the virus hid a copy of itself in the system directory. It then modified the Windows registry so that the virus would activate every time the computer started.
On infected computers, sujin.com.np appeared on both the Internet Explorer homepage and the browser’s title bar.
The most frustrating aspect of this virus was that it disabled key system tools such as Task Manager, Folder Options, and Registry Editor. Since these essential tools stopped working, removing the virus became extremely difficult.
What made this virus stand out was its name and the claim made by its creator. The main file was called ‘VirusRemoval.vbs,’ meaning ‘virus removal script.’ It was created by a person named Sujin Joshi([email protected]). His email and website address were included in the code.
Joshi presented his script as a “virus removal program.” He claimed it would fix system issues and even protect computers from future viruses. However, in reality, it caused major headaches for users. Many accused Joshi of using the script to gain attention by disabling system tools like Task Manager and Registry Editor and forcibly displaying his website name on browsers. Joshi later released a small program to remove the virus.
It remains unclear who Sujin Joshi was. “He was probably someone with good computer knowledge and may have worked for a well-known company,” said cybersecurity researcher Narayan Koirala. “There were other viruses at that time, but this one received the most attention.”
Frustrated users tried various ways to remove the virus. A Nepali user named ‘gsoul2soul’ posted about his issue on the Digit Forum on October 19, 2007, writing: “Somehow, a small ‘virus, or bug, or a script written by some overly knowledgeable programmer’ got into my computer. When I open Internet Explorer, it redirects to another website. The same unwanted name appears in the IE title bar. I tried changing the homepage and removing the title bar name, but as soon as I reopened the browser, BOOM! The same problem happens again. When I end the process called ‘wscript.exe’ in Task Manager, it stops. Why is this? What is it? And how can I fix it?”
Other users replied with possible fixes. To remove it manually, one had to first close the ‘wscript.exe’ process, then delete hidden virus files from all drives and system directories. The most difficult part was reversing the registry changes made by the virus, especially reactivating Task Manager and Folder Options.
Since this process was complicated, WorldLink later released a special software to remove the virus, giving huge relief to affected users.
The most fascinating part of this story is the virus’s journey to great heights. Gostev unknowingly took the infected memory card with him to the Himalayas. According to his claim, this ‘Nepali virus’ reached an altitude of 6,198 meters, making it, in his words, “worthy of the Guinness Book of Records as the highest-altitude computer virus.”
Thus, a locally made script unintentionally became an international sensation and earned its place in Nepal’s IT history. Kaspersky added the ability to detect this virus on November 14, 2007, and documented the incident in detail.
That’s why cybersecurity analyst Vijay Limbu considers it Nepal’s first malware case. “This is one of the first officially registered malware incidents linked to Nepal,” Limbu wrote in a blog, “as evidenced by security company analysis and the fact that users suffered losses in 2007. Therefore, this claim is credible and source-based.”
According to Limbu, the Sujin virus was not particularly complex but very effective. It simply changed the browser’s homepage to a single website, but this small virus taught users across Nepal a big lesson: how to use pen drives safely, why not to grant unnecessary permissions, and how vital it is to stay informed about local cyber threats.
“Even today,” Limbu writes, “these basic lessons help prevent most computer problems.”
पछिल्लो अध्यावधिक: कात्तिक १०, २०८२ १७:३
