Home | Site Map | Search | Contacts
About Us
Report Incidents
Incident Statistics
Security FAQS

Search NISER
  NISER > Alerts > MyCERT Advisories & Summaries > MA-006.021999: W97M/Caligula Virus

MA-006.021999: W97M/Caligula Virus
Original Issue Date: 18th February, 1999


    1.1 Overview

    W97M/Caligula is a new Word macro virus which make attempts to attack against the PGP (Pretty Good Privacy) encryption programs by trying to steal user's Secret KeyRing file, and then tries to send it via FTP to the codebreakers.org domain.

    1.2 Limitation

    1.2.1 The Caligula virus enters PCs via infected Microsoft Word Document.

    1.2.2 It will search the secret key of those using only PGP version 5.x and above.


    2.1 Installation

    The virus spreads by keeping it's code in a file called c:\io.vxd. When it infects the Word97, Caligula disables some menu items which include the FileTemplates, ToolsCustomize, ViewToolbar and ViewStatusbar menus. The ToolMacro menu will be greyed out and could not be accessed. The properties of the infected documents and templates contain alterations which includes a change of the listed author to "Opic," and of the title to "W97M/Caligula Infections". The following sample shows the summarised information of an infected document:

      Title: WM97/Caligula Infection
      Subject: A Study In Espionage Enabled Viruses
      Author: Opic
      Keywords: / Caligula / Opic / Codebreakers /
      Comments: The Best Security Is Knowing The Other
      Guy Hasn't Got Any

    In addition, the virus also sets up the computer user name in the registry to "Caligula".

    2.2 Functionality

    When a Word document is launched on the 31st day of each month, Caligula displays a Window which reads:

      WM97/Caligula (c) Opic [CodeBreakers 1998]
      No cia,
      No nsa,
      No satellite,
      Could map our veins.

    The nasty part of the virus is related to PGP. Caligula searches the user's PGP Secret Key Ring file (SECRING.SKR), which contains the user's private encryption key and tries to send it via FTP to the virus's author site (The Codebreakers-a known virus exchange site). In order to send the key, the virus creates a temporary file called c:\cdbrk.vxd. If the attacker is able to break the passphrase, then, he could open the PGP encrypted files which had been sent to this user.


    3.1 Detection

    Look out for signs as mentioned in section 2.1.

    3.2 Reaction/Removal

    Users who are using PGP version 5.x and above, is advised to create secure passphrases containing unique combination of characters which should include letters, numbers, spaces and punctuation marks.

    Furthermore, as of today, the list below are the sites that provide a solution in detecting and removing this macro virus. However, users are strongly advised to visit their respective anti-virus vendor sites from time to time for their updates.


Disclaimers and copyright information
Last Update April 19, 2001