1.0 DESCRIPTION

1.1 Overview

W97M/Caligula is a new Word macro virus which make attempts to attack against the PGP (Pretty Good Privacy) encryption programs by trying to steal user's Secret KeyRing file, and then tries to send it via FTP to the codebreakers.org domain.

1.2 Limitation

1.2.1 The Caligula virus enters PCs via infected Microsoft Word Document.

1.2.2 It will search the secret key of those using only PGP version 5.x and above.

2.0 TECHNICAL MATTERS

2.1 Installation

The virus spreads by keeping it's code in a file called c:\io.vxd. When it infects the Word97, Caligula disables some menu items which include the FileTemplates, ToolsCustomize, ViewToolbar and ViewStatusbar menus. The ToolMacro menu will be greyed out and could not be accessed. The properties of the infected documents and templates contain alterations which includes a change of the listed author to "Opic," and of the title to "W97M/Caligula Infections". The following sample shows the summarised information of an infected document:

Title: WM97/Caligula Infection
Subject: A Study In Espionage Enabled Viruses
Author: Opic
Keywords: / Caligula / Opic / Codebreakers /
Comments: The Best Security Is Knowing The Other
Guy Hasn't Got Any

In addition, the virus also sets up the computer user name in the registry to "Caligula".

2.2 Functionality

When a Word document is launched on the 31st day of each month, Caligula displays a Window which reads:

WM97/Caligula (c) Opic [CodeBreakers 1998]
No cia,
No nsa,
No satellite,
Could map our veins.

The nasty part of the virus is related to PGP. Caligula searches the user's PGP Secret Key Ring file (SECRING.SKR), which contains the user's private encryption key and tries to send it via FTP to the virus's author site (The Codebreakers-a known virus exchange site). In order to send the key, the virus creates a temporary file called c:\cdbrk.vxd. If the attacker is able to break the passphrase, then, he could open the PGP encrypted files which had been sent to this user.

3.0 POSSIBLE STEPS

3.1 Detection

Look out for signs as mentioned in section 2.1.

3.2 Reaction/Removal

Users who are using PGP version 5.x and above, is advised to create secure passphrases containing unique combination of characters which should include letters, numbers, spaces and punctuation marks.

Furthermore, as of today, the list below are the sites that provide a solution in detecting and removing this macro virus. However, users are strongly advised to visit their respective anti-virus vendor sites from time to time for their updates.

DataFellows Virus Information Center (F-Secure Antivirus)
http://www.datafellows.com/gallery/anti-virus/f-macro.htm

DAT files for McAfee VirusScan version 3.x above
http://www.nai.com/download/updates/updates.asp

Dr. Solomon's Anti-Virus Toolkit and Products versions 7.x and above
http://www.drsolomon.com/download/index.cfm

Sophos Anti-Virus
http://www.sophos.com/downloads/ide/

4.0 MORE INFORMATION

To obtain more information on this virus, please refer to the following site :

4.1 Network Associates, Inc. : AVERT
http://www.nai.com/about/news/press/1999/february/020599.asp

4.2 DataFellows : Computer Virus Information Pages
http://www.datafellows.com/v-descs/calig.htm

4.3 MSNBC : Technology
http://www.msnbc.com/news/238513.asp

4.4 Sophos Virus Information Page
http://www.sophos.com/downloads/ide/