NISER > Alerts > MyCERT Advisories & Summaries > MA-006.021999: W97M/Caligula Virus
MA-006.021999: W97M/Caligula Virus
Original Issue Date: 18th February, 1999
W97M/Caligula is a new Word macro virus which make attempts to attack against the PGP (Pretty Good Privacy) encryption programs by trying to steal user's Secret KeyRing file, and then tries to send it via FTP to the codebreakers.org domain.
1.2.1 The Caligula virus enters PCs via infected Microsoft Word Document.
1.2.2 It will search the secret key of those using only PGP version 5.x and above.
2.0 TECHNICAL MATTERS
The virus spreads by keeping it's code in a file called c:\io.vxd. When it infects the Word97, Caligula disables some menu items which include the FileTemplates, ToolsCustomize, ViewToolbar and ViewStatusbar menus. The ToolMacro menu will be greyed out and could not be accessed. The properties of the infected documents and templates contain alterations which includes a change of the listed author to "Opic," and of the title to "W97M/Caligula Infections". The following sample shows the summarised information of an infected document:
Title: WM97/Caligula Infection
Subject: A Study In Espionage Enabled Viruses
Keywords: / Caligula / Opic / Codebreakers /
Comments: The Best Security Is Knowing The Other
Guy Hasn't Got Any
In addition, the virus also sets up the computer user name in the registry to "Caligula".
When a Word document is launched on the 31st day of each month, Caligula displays a Window which reads:
WM97/Caligula (c) Opic [CodeBreakers 1998]
Could map our veins.
The nasty part of the virus is related to PGP. Caligula searches the user's PGP Secret Key Ring file (SECRING.SKR), which contains the user's private encryption key and tries to send it via FTP to the virus's author site (The Codebreakers-a known virus exchange site). In order to send the key, the virus creates a temporary file called c:\cdbrk.vxd. If the attacker is able to break the passphrase, then, he could open the PGP encrypted files which had been sent to this user.
3.0 POSSIBLE STEPS
Look out for signs as mentioned in section 2.1.
Users who are using PGP version 5.x and above, is advised to create secure passphrases containing unique combination of characters which should include letters, numbers, spaces and punctuation marks.
Furthermore, as of today, the list below are the sites that provide a solution in detecting and removing this macro virus. However, users are strongly advised to visit their respective anti-virus vendor sites from time to time for their updates.
4.0 MORE INFORMATION
Disclaimers and copyright information
Last Update April 19, 2001