Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

WM/CAP

This very frequent macro virus comes probably from Venezuela. It is encrypted and uses stealth technology. The stealth presents itself mainly by “eliminating” items in the menu File/Templates, Tools/Macro and Tools/Customize. One of the unpleasant impacts of his activity is that the virus cannot be removed by means of Word any more. In addition to this it disables warning upon writing into the global template, enables high speed storing of document as well as automatic storing of document in intervals of 10 minutes. It marks its own macros by giving characters F% into the description. These characters are followed either by its own macro identifier consisting of one or two characters or by number of the virus generation in case of the main infecting macro with the name CAP. The virus simply deletes all other macros. By doing so it eliminates also rival macro viruses that might have been there before it arrived.
CAP has another interesting feature and it has spread rather extensively thanks to it: the virus is not dependent on the language mutation of the Word. It solved the problem by using names of the needed macros which it finds in the menu. Apart from the following texts in notes to the main macro the virus does not contain any destructive activity:

C.A.P: Un virus social.. y ahora digital..
"j4cKy Qw3rTy" (jqw3rty@hotmail.com).
Venezuela, Maracay, Dic 1996.
P.D. Que haces gochito ? Nunca seras Simon Bolivar.. Bolsa !

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.