National Law Database Documents Carrying Malicious Viruses?! How to Protect Yourself and What Penalties for Spreading Viruses via Games?

Recently, while searching for and downloading legal provisions from the National Laws and Regulations Database (https://flk.npc.gov.cn/), I was suddenly warned by my computer’s antivirus software.

So, are official documents carrying viruses?

After further investigation, I found another infected document:

OMacro/Thus.a ?

What kind of virus is this?

How can you protect yourself?

If your own game product ends up spreading a virus, what penalties would you face?

*This article represents only the author’s personal views and does not constitute legal advice or a legal opinion.

I. Official Website Files Infected?

Here’s a one-take demonstration:

Brave readers can also try downloading from these two links to test (at your own risk):

“Anhui Province Small and Medium Enterprises Promotion Regulations”

https://flk.npc.gov.cn/detail?id=2c90e5ba6a291d8f016b5450a87a2068&fileId=&type=&title=%E5%AE%89%E5%BE%BD%E7%9C%81%E4%B8%AD%E5%B0%8F%E4%BC%81%E4%B8%9A%E4%BF%83%E8%BF%9B%E6%9D%A1%E4%BE%8B

“Tongling City Home Care Service Promotion Regulations”

https://flk.npc.gov.cn/detail?id=2c90e5ba6a291d8f016b554f86d020d9&fileId=&type=&title=%E9%93%9C%E9%99%B5%E5%B8%82%E5%B1%85%E5%AE%B6%E5%85%BB%E8%80%81%E6%9C%8D%E5%8A%A1%E4%BF%83%E8%BF%9B%E6%9D%A1%E4%BE%8B

After downloading, the antivirus software (Huorong) immediately reported a risk, indicating the file contained a virus and had already been handled.

Trusting the official website, and to confirm whether this was a false positive, I took the risk of disabling Huorong (do not imitate), downloaded the two suspected infected documents again, and uploaded them to both domestic and international virus detection websites for multi-engine scanning. Here are the respective results:

Anhui Province Small and Medium Enterprises Promotion Regulations.docx

Tongling City Home Care Service Promotion Regulations.docx

It is essentially confirmed that this is not a false positive.

II. What Harm Does This Virus Cause?

Based on the virus names and popularity tags given by antivirus software and scanning websites, it is essentially confirmed to be the macro virus W97M/Thus.

I investigated this name further. The virus’s method of harm can be simply understood as:

When a document containing this virus is opened, the virus attempts to infect Word’s global template (NORMAL.DOT).

Once the template is infected, every newly created or opened document will have the virus macro inserted, causing the virus to spread between documents.

If on December 13 (the date may vary slightly depending on the virus variant), a user opens an infected Word document, the virus’s destructive payload is activated — it attempts to delete all files and folders from the C drive root directory.

Any version from Word 97 onward can be infected by this virus.

III. How to Prevent Macro Viruses?

This is a very old virus.

As the name suggests, the virus was written for Word 97 — from the last century — nearly 30 years ago.

Yet it is still spreading today, showing that many computers still lack adequate security measures.

While searching for information, I found that at least within Anhui Province, official computers likely still have many copies of this virus circulating. As early as 2023, netizens discovered documents downloaded from the Anhui Tax Bureau reporting this virus:

Given the virus’s considerable destructive potential, here are some measures to consider for prevention:

Install a Modern Antivirus

The simplest approach, of course, is to install a modern antivirus.

If Huorong hadn’t flagged it, I wouldn’t have discovered that official documents were carrying a virus.

Although theoretically such an old virus should be detected by any antivirus software, the scanning websites above show that some engines could not detect it (or did not consider it a threat), for example:

And, at the very least, the office worker’s computer that uploaded the legal documents, as well as the OSS provider (China Unicom Cloud) hosting files for the National Laws and Regulations Database, also failed to detect it.

Upgrade to a Newer Version of Office

Some readers may stick with older Office versions due to personal habits or computer specifications, but older versions lack certain defensive features, making them breeding grounds for viruses.

Newer versions of Office have protection features and disable unauthorized macros by default, improving security to a certain extent.

Switch to a Newer Version of WPS

Switching to WPS is not because WPS cannot be infected by viruses.

Newer versions of WPS have their macro functionality rewritten in JavaScript, while these ancient viruses are largely written in Microsoft’s VBA language.

Therefore, newer versions of WPS will not execute such macro viruses and naturally won’t trigger their harmful code.

But this only applies if you don’t purchase the Business Standard/Business Advanced edition and switch to the VB environment.

Of course, JavaScript environments have their own macro viruses too — installing WPS is not a permanent solution:

IV. What Liability Does Someone Face for Inadvertently Publishing Infected Files?

For ordinary people, inadvertently publishing infected files — for example, accidentally embedding a virus in a game that infects users’ devices — carries “appropriate liability” across civil, administrative, and criminal dimensions.

Civil Liability

The most direct is civil liability.

Even if the virus was embedded “accidentally,” under the Civil Code, tort liability still applies.

Article 1165: A person who injures the civil rights and interests of another through fault shall bear tort liability.

If a game file contains a virus that damages a user’s computer system or leaks personal data, this constitutes infringement of the user’s “property rights and interests.” The developer/producer, as the “party at fault,” must provide compensation.

Generally, the developer must compensate users for losses caused by the virus infection, such as data recovery costs, system repair expenses, and other direct losses. If the virus stole users’ virtual property (such as game equipment, accounts) or bank account information and caused losses, additional compensation may be required.

Administrative Liability

A game developer, as a “network operator,” has an obligation to ensure the safety of the products and services it provides.

Under laws and regulations such as the Cybersecurity Law, Data Security Law, and Personal Information Protection Law, game developers must fulfill relevant review and prevention obligations before releasing a game.

For example, the Cybersecurity Law:

Article 21: …Network operators shall fulfill the following security protection obligations in accordance with the requirements of the cybersecurity protection grading system to ensure that the network is free from interference, damage, or unauthorized access, and to prevent network data from being leaked, stolen, or tampered with:

…

(2) Adopt technical measures to prevent computer viruses, network attacks, network intrusions, and other acts endangering cybersecurity;

…

If failure to fulfill management obligations leads to virus spread and user infection, administrative liability naturally follows. Government regulators (such as the Cyberspace Administration, Ministry of Industry and Information Technology, public security organs, etc.) may intervene and impose penalties, generally including:

• Warning
• Order to Correct: Require immediate fixing of vulnerabilities and removal of the virus. (The game may be ordered removed from shelves until fixed.)
• Circular Criticism
• Fines: Fines on both the entity (company) and the directly responsible manager (individual).
• Suspension of Relevant Business: In serious cases, an order to suspend all game operations.
• Revocation of License: In extremely serious cases or if corrections are refused, relevant business permits or business licenses may be revoked.

As for fine amounts, refer to the following provision:

Article 59: If a network operator fails to fulfill the cybersecurity protection obligations under Articles 21 and 25 of this Law, the relevant authorities shall order correction and issue a warning; if correction is refused or consequences endangering cybersecurity result, a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed, and directly responsible managers shall be fined not less than RMB 5,000 but not more than RMB 50,000.

Criminal Liability

Except in extreme cases, if a developer “accidentally” embeds a virus and immediately, proactively, and actively notifies users, releases patches, cooperates with investigations, and compensates for losses after the incident, criminal liability is generally not pursued.

What constitutes extreme cases?

For example:

• An employee discovered a virus before release, but the boss decided to push the release anyway to meet the schedule (penalizing the company and the boss);
• An employee “deliberately” implanted a virus to retaliate against the company (penalizing the individual);
• After discovering the issue on their own, or being notified by the authorities or a third party, the developer deliberately failed to fix or delayed fixing due to schedule pressure, unwillingness to lose revenue, or even lack of technical capability (penalizing the company).

These are essentially cases of “accidental” initial conduct but “intentional” subsequent conduct.

Although the prerequisite for criminal liability is “large-scale user data leakage or significant economic losses,” China’s threshold amounts for criminal liability are generally lower than “what ordinary people imagine,” so it is advisable not to take risks.

V. Final Thoughts

I have submitted a virus notification through the official channels of the National Laws and Regulations Database, fulfilling my part of the responsibility.

I believe this was likely an unintentional mistake by a staff member.

However, whether in the gaming industry or the legal profession, it is still important to raise your security awareness and do a good job of virus prevention.

“Computer viruses” may sound like a “distant thing,” but they have always been right there beside us.

Everyone should be the “first responsible person” for their own data security.

Why not start by checking whether your own computer is infected?