Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » WM/CAP


Threat Risk LOW LOW
Destructivity LOW LOW
Detection files published
Description created 14 Nov 2001 03:00:00
Description updated 20 Nov 2001 04:05:00
Malware type VIRUS
Spreading mechanism FILE_INFECTION
Summary None



Before infecting a document the virus will delete all macros in NORMAL.DOT and other templates.

The macro virus CAP consists of ten different macros. These are stored encrypted in the infected documents. The virus is activated when Auto and System macros are used. These macros are:

AutoExec AutoOpen FileSave FileSaveAs FileTemplates ToolsMacro FileClose FileOpen AutoClose.

The macro virus also has a "stealth" function which hides/disables some menu choices when the global template NORMAL.DOT is infected:

Tools|Macro is removed from the menu choices
Tools|Customize is removed from the menu choices

File|Templates is disabled. Nothing happens when this is selected from the menu.

The menu choices will be restored when NORMAL.DOT is cleaned or restored. (To restore NORMAL.DOT, delete it and restart Word. Word will then create a new NORMAL.DOT. You may also get a clean NORMAL.DOT from a backup copy if you have such.)

WM/CAP inserts this text in the macro code::

C.A.P: Un virus social.. y ahora digital. ‘j4cKy Qw3rTy’ ( Venezuela, Maracay, Dic 1996. P.D. Que haces
gochito ? Nunca seras Simon Bolivar.. Bolsa! One of the results of an infection by the CAP virus is that documents are stored internally as DOT files, whatever you choose to store them as. Example: If you store a document as a RTF file, the document's extensions is RTF, but it will be stored internally as a DOT file and will still have the virus (RTF files can normally not be infected by macro virus.).

Payload Details






Last Updated: 12 Nov 2015 11:06:15