WM.CAP virus description > Jacky Qwerty/29A This article gives a full description of the WordMacro CAP virus. It can be seen as a "real" example for the different techniqz described in the past article named "Macro virus trickz". Check out as well the virus source code, also published in this isue. Index 1. Introduction 1.1 Macro virus hype 2. WM.CAP: a complex word macro virus? 3. In the Newz 3.1. Dr.Solomon speaks 3.2. Sophos speaks 3.3. McAfee speaks 3.4. F-Potatoe speaks 3.5. Norton speaks 3.6. AVP speaks 3.7. Quarterdeck speaks 4. Functional Description 4.1. Removal of macroz 4.1.1. Concept vs. Wazzu 4.1.2. CAP vs. Concept 4.2. Global template infection 4.2.1. Searchin for localized macroz 4.2.2. Incremental generation count 4.2.3. Removal of menu itemz - stealth 4.3. Document, template and RTF infection 4.4. Disablin of AutoMacroz 4.5. The "SaveAs" problem solved 5. Shortcutz 6. Disclaimer 1. Introduction Factz prove for themselvez. Macro virii have become one of the most comon type of computer virus. While the latter sounds like a press release, we cant deny that unfortunately it is becomin true. "Unfortunately" becoz as u will see later, macro virii unlike other type of computer virii, are not really very dificult to write, in fact much of them have been coded in a very simple way, followin a straightforward programin aproach. While there could be some few exceptionz to the rule, macro virii in general dont prove to deserve that kind of atention that other more interestin type of compu- ter virii mite do, regardin other innovative infection techniqz, new wayz of residency, improved methodz for trapin file activity and the complexity of the virus code itself. Featurez which are very dependent to a great ex- tent on the skillz of the VXer himself. 1.1. Macro virus hype But leavin aside that atonishin publicity surroundin macro virii and now followin a much more objetive aproach: what lies behind the creation of a macro virus? is it really hard to write such virusez? why so much hype bout Concept? well, not really. Much of that fuzz was nonsense, another press release biten and exagerated by the obfuscating media. I rememeber at the time Concept was big newz, AVerz started to say repeatedly again and again that such macro virii were fairly easy to write and that they could be more infectious and comon than any other virus type. Yea AVerz, strangely tho, said the mean and lean truth. So now they come, shoot our mindz and then wash their handz pretendin they have nothin to do with the macro virus hype. After all, we are the "kidz" so we are the guilty onez, we are the bad guyz and they are of course the heroez of the movie. Same old story. 2. WM.CAP: a complex macro virus? CAP was a macro virus i wrote durin a bored December weekend after endin classes for the quarter and startin my xmas vacationz. It was also my first and last macro virus until i lost all of my interest in this stuff and fo- cused my atention on other much more interestin virus related topicz :) It began as a curiosity of mine when tryin to understand for myself how these virusez worked and how much they could spread for themselvez. The CAP virus made its way into the wild the same way most other virusez do. It was writen in a simple 386 machine runin Windoze 3.1, it was tested in both english and spanish versionz of Word 6, and was finaly released and spread as with any other macro virus. Yea, it has some pretty kewl featurez but they are far from bein extraordinary or complex as some AVerz put it, especialy an AVer named Miko Hyppnen from Datafellowz (F-Potatoe), a very nice dude, author of F-Potatoe buletinz, who btw behaved very kind in his last isue when he encouraged people to send their "opinion on virus writin" to my Hotmail mailbox. I wont forget that one, Miko, very nice from u, pal. However it was also the first time i thanked the phuckin mother who hacked my Hotmail acount, hrmph @&%#.. 3. In the newz Shortly after CAP was released, there apeared a seriez of increasin reportz posted on several newsgroupz, especially from alt.comp.virus. Userz were suspectin about a new macro virus removin the Toolz/Macro and Toolz/Custo- mize menu itemz from their Word enviroment. A couple of monthz later, CAP was bein reported at diferent regionz worldwide. Was CAP just another lucky virus or there was somethin more behind? Well, just keep readin if u want to know the mean and lean truth. #8) But before this lets listen to what AVerz have to say about CAP, that mite help us understand some more about CAP's functionin, mmm.. well, just a bit coz u know how some AVerz are, regardin their virus descriptionz. They feed on hype describin how good their AV programz detect virusez, instead of describin how the virusez really work and how some of them are able to de- feat and nulify their stuff. Most of the AV programz agree they can safely remove all (removable) virusez they detect. Factz prove this is not true. None of the macro AV programz, except perhaps new versions of F-MacroW, have been able to remove properly all of the CAP spontaneously generated variantz. And as u'll see later in this article, this behavior could have been made much more complex on purpose. 3.1. Dr.Solomon speaks (*) Dr.Solomon - http://www.drsolomon.com/vircen/valerts/wmcap.html - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 WM/CAP This macro virus appeared first in February 1997 and has quickly become widespread. The basic virus consists of one large macro called CAP (hence the name) which is called from the virus' other macros - AutoExec, AutoOpen, FileSave, FileSaveAs, FileTemplates, ToolsMacro, FileClose, FileOpen and AutoClose. When the virus replicates, the first thing it does is to copy the basic set of 10 macros. The virus then browses the WinWord menu items, collects their names, (they could be different in different language versions, or customized versions of WinWord), and intercepts up to 5 of these additional macros - placing a pointer to the main CAP macro inside them. If there are any system macros defined in a global template before the infection - they are deleted. The virus also removes the menu items Tools/Macro and Tools/Customize. The File/Templates menu item is present after infection but it does not work. In essence, then, the virus consists of 10 basic English macros and up to 5 additional macros taken from the menus if they are not standard for the English language version of WinWord. The virus uses information from the macro description field, (at the bottom of Tools/Macro box), for self recognition of its core macros. These have "F%" at the beginning of a description (FileOpen has F%O, FileClose - F%C, FileSave - F%S and FileSaveAs - F%SA). The virus has no damaging payload except that it removes system macros defined in the global template. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 3.2. Sophos speaks (*) Sophos - http://www.sophos.com/virusinfo/analyses/winwordcap.html - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 Virus analyses Winword/CAP Virus Name:Winword/CAP. Aliases: None known. Type: MS Word document infector. Resident: Yes, within Word environment. Stealth: Yes. Empty macros are used to prevent Word showing menu items. For example, the ToolsMacro (or ExtrasMakro under German Word) is empty, which prevents the use of the ToolsMacro to see whether or not there are macros present. The virus also removes the menu item itself so that it does not even appear in the list of available choices. Trigger: None. Payload: None. Comments: The Winword/CAP virus installs the following macros: FileTemplates, ToolsMacro, FileSaveAs, FileClose, AutoClose, FileSave, FileOpen, AutoOpen, AutoExec and CAP. In addition, the virus will find the current local language version of the macros and will install these as well as the English ones. For example, if the virus infects a German version of Word, it will also install macros named DateiOffnen, DateiSpeichern, DateiSpeichernUnter, DateiSchliebenOderAllesSchlieben. With the exception of the CAP macro itself, all the macros are very short stubs which either call subroutines within CAP or do nothing at all. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 3.3. McAfee speaks (*) McAfee - http://www.mcafee.com/support/techdocs/vinfo/vm007.asp - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 CAP.A Virus Characteristics This virus propagates by infecting Word Documents in Microsoft WORD Versions 6.x / 7.x on Windows and Macintosh platforms. The virus consists of these macros: CAP, AUTOEXEC, AUTOOPEN, AUTOCLOSE, FILETEMPLATES, FILESAVE, FILESAVEAS, TOOLSMACRO, FILEOPEN, FILECLOSE in an infected document. In localized language versions of MS Word some macros are copied to the specific SystemMacro name. The virus becomes active by using Auto- and SystemMacros. All macros are encrypted using the standard Word execute-only feature. Meaning that the user is unable to edit or view the macro code. Indications of Infection Before infection it will delete all existing macros in NORMAL.DOT or other templates. On an infected system the virus hides the FILE|TEMPLATE and TOOLS|MACRO functionality. Warning: It is important not to use this command, as you will execute the viral code. It may also delete these menu entries plus TOOLS|CUSTOMIZE in the global environment. If you are affected by this virus please read 'Add. Information'. Virus Information Discovery Date Mar 1997 Origin Venezuela Length Not Applicable Type General Macro Virus Information Prevalence Common - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 (*) McAfee - WHATSNEW.TXT file from McAfee's SCAN v3.0.2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 CAP.A The Word Macro virus, CAP.A, is spreading wildly on all corners of the globe, especially in the United States. McAfee's AVERT Team has documented cases of CAP.A found in: Brazil, Germany, Australia, Hong Kong, Argentina, Columbia, England, Sweden, Mexico, Venezuela, and Russia. CAP.A's behavior depends upon the language of Microsoft Word being used, or if the installation of Microsoft Word has been customized, making the cleaning of the virus challenging for many antivirus products. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 3.4. F-Potatoe speaks (*) F-Potatoe (DataFellows) - http://www.datafellows.fi/v-descs/cap.htm - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 Computer Virus Information Pages NAME: CAP ALIAS: WordMacro/CAP, CUP ORIGIN: Venezuela For more information on macro viruses, see WordMacro/Concept. CAP is a complex Word macro virus. It consists of several encrypted macros: CAP, AutoExec, AutoOpen, FileSave, FileSaveAs, FileTemplates, ToolsMacro, FileClose, FileOpen and AutoClose. The virus contains these texts in comments: 'C.A.P: Un virus social.. y ahora digital.. '"j4cKy Qw3rTy" (jqw3rty@hotmail.com). 'Venezuela, Maracay, Dic 1996. 'P.D. Que haces gochito ? Nunca seras Simon Bolivar.. Bolsa ! When infecting Word, CAP modifies up to five already-existing menus, redirecting them to the virus code. This creates some problems, as the names of the modified entries are different in different Word installations and different language versions of Word. When CAP infects documents, it deletes all existing macros from them. Otherwise CAP does not do anything destructive. However, it does remove the Tools/Macro and Tools/Customize menus and disables File/Templates menu in order to protect itself. WordMacro/CAP.A was reported in the wild in several countries in 1997. It's probably related to the WordMacro/Rapi virus. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 3.5. Norton speaks (*) Norton AV - http://www.symantec.com/avcenter/data/wm.cap.a.html - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 WM.CAP.A Aliases: WordMacro/CAP.A Infection Length: 10 macros Area of Infection: Microsoft Word documents Likelihood: Common Region Reported: Worldwide Characteristics: Wild, macro, Stealth Target Platform: Macro Trigger Date: None Description: WM.CAP.A is a virus that consists of 10 macros. Macro Name Description CAP Infection Routine AUTOEXEC Calls the CAP macro AUTOOPEN Calls the CAP macro FILEOPEN Calls the CAP macro FILESAVEAS Calls the CAP macro AUTOCLOSE Calls the CAP macro FILECLOSE Calls the CAP macro FILESSAVEAS Calls the CAP macro TOOLSMACRO Used for the Stealth Routine FILETEMPLATES Used for the Stealth Routine All the macros are stored in encrypted form in the infected documents. Also WM.CAP.A has a stealth feature which hides the [macro...] menu item from the [Tools] menu and the [Templates...] menu item from the [File] menu when the NORMAL.DOT (Global template) file is infected. This will prevent the user from checking the list of macros which in contained in the document or template and hides the macros. Once the NORMAL.DOT file is disinfected, the [macro...] menu and [Templates...] menu item are restored. WM.CAP.A has no intentional Trigger or Payload. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 3.6. AVP speaks (*) AVP - http://www.avp.ch/avpve/macro/word/cap.stm - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 This is an encrypted stealth macro virus. It contains ten macros: CAP - infection routine AutoExec - calls the infection routine AutoOpen - - // - FileOpen - - // - FileSave - - // - AutoClose - - // - FileClose - - // - FileSaveAs - - // - ToolsMacro - hides all macros ("stealth" routine) FileTemplates - - // - The virus not only disables ToolsMacro and FileTemplates menus, but also deletes the references to them in main menus File and Tools. The virus also disables auto-macros. As a result it is not possible to disinfect this virus by using Word functions - there is no possible to delete virus macros, create new or run existing virus removing macros. The virus emulates "FileSaveAs" while saving infected documents - it writes an empty document to disk. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 3.7. Quarterdeck speaks (*) Quarterdeck - http://www.quarterdeck.com/quarc/00011/00011128.htm - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 WM/Cap.A Summary: WM/Cap.A infects Microsoft Word for Windows documents and templates. It contains 10 macros: CAP, AutoExec, AutoOpen, FileOpen, FileSave, AutoClose, FileClose, FileSaveAs, ToolsMacro, FileTemplates -- about 214 lines and 3926 characters of macro code after analysis standardizes the formatting within the virus. Author: Unknown Date of Origin: Prior to January 1996 Prevalence: Prevalent in Belgium, Canada, Czech Republic, Denmark, Finland, Hong Kong, Luxemburg, New Zealand, Norway, Peru, South Africa, Sweden, U.K., U.S.A. and elsewhere as of July, 1997. Variants: At least 18 variants as of June 30, 1997: A, B, C, D, E, F, J, L, N, O, P, Q, R, S, T, U, V, W Macro Functions: CAP: This macro contains an infection routine which appears to work in all language versions. Includes code to trap any errors and ignore them, to help avoid detection. Modifies user settings for saving documents. Options are set to fast saves, allow automatic saving, save changes in global template without asking, 10 minutes between automatic saves. Removes menu options from Word's menus. The global template (usually Normal.dot) will need to be deleted in order to restore Word's normal menus. Disables AutoOpen, AutoClose, AutoNew, and AutoExit macros, disabling many other macro viruses, as well as any macro-based anti-virus protection. AutoExec: Calls infection routine (CAP). Includes code to trap any errors and ignore them, to help avoid detection. AutoOpen: Calls infection routine (CAP). Includes code to trap any errors and ignore them, to help avoid detection. FileOpen: Calls infection routine (CAP). Includes code to trap any errors and ignore them, to help avoid detection. FileSave: Calls infection routine (CAP). Includes code to trap any errors and ignore them, to help avoid detection. AutoClose: Calls infection routine (CAP). Includes code to trap any errors and ignore them, to help avoid detection. FileClose: Calls infection routine (CAP). Includes code to trap any errors and ignore them, to help avoid detection. FileSaveAs: Calls infection routine (CAP). Includes code to trap any errors and ignore them, to help avoid detection. ToolsMacro: Hides the [Macro...] menu option normally on the [Tools] menu when an infected file is loaded, preventing a user from using this menu option to see the macros of the virus. FileTemplates: Hides the [Templates...] menu option normally on the [File] menu when an infected file is loaded, preventing a user from using the [Organizer] option on this menu to see the macros of the virus. Stealth Hides the [Macro...] menu option normally on the [Tools] Mechanisms: menu when an infected file is loaded, preventing a user from using this menu option to see the macros of the virus. Hides the [Templates...] menu option normally on the [File] menu when an infected file is loaded, preventing a user from using the [Organizer] option on this menu to see the macros of the virus. High stealth. Comments: This sample of WM/Cap.A contains the following comments: (...) These comments are ignored by Word when the macros in WM/Cap.A run, and are not displayed. Comments in macro viruses sometimes suggest date or place of origin, authorship or purpose of the virus. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 4. Functional description While the description from Dr.Soly is the most accurate from the above, it still doesnt explain some especific detailz. Some descriptionz are, well.. full hype, some are just promotin how excelent their AV program is and some just dunno what they say. However no matter how good or bad any description is, they have somethin in comon: all of them invariably try to hide the true reason why CAP has become so comon. I'll try to remedy that here by writin my own description now. 4.1. Removal of macroz Whenever an infected document is opened or a clean or infected Word enviro- ment, the virus first checks its own set of 10 basic macroz from the infec- ted document bein opened. All CAP macroz share a common pattern ("F%") sto- red in the macro description field. If this pattern is not found, CAP dele- tes the macro. This process is then repeated for the global template (NOR- MAL.DOT). This means that all of the foreign macroz stored in the infected document and in the global template previous to infection are removed. This includes any protection AV tool or any other macro virus. 4.1.1. Concept vs Wazzu This prior scenario has a strong implication regardin CAP survival. Supose a given company is bein strongly infected by the Concept or any other macro virus. Now supose another macro virus, say Wazzu, enters in the company circulation. Now these two virusez will be fightin each other for survival. There cant be two "AutoOpen" macroz for obvious reasonz as there cant be o- ther macroz repeated twice. The final result could be a new "Concept-Wazzu" variant consistin of snatched macroz from each virus, or simply the same diferent two virusez collidin with each other all the time. But what if the second virus enterin the company is the CAP virus? 4.1.2. Concept vs CAP Well, thingz will be a bit diferent this time. The CAP virus will spread for itself to other documentz as with any other macro virus, but it wont spend its time collidin with Concept, instead CAP will just remove each instance of Concept from the infected documentz and replace it with its own copy. If CAP keeps spreadin this way from documentz, it doesnt take much time to figure out the final resultz. In a matter of dayz, CAP will clearly "outnumber" Concept, until it almost disapears from the company. This means that CAP can be considered an eficient antivirus for macro virus, coz the macro cleanin capabilitiez travel and spread inside the virus itself. The slogan here is: "Use CAP as your favourite AV program". At this point i can hear Bontchy mentionin my genealogic tree from top to bottom ($@%#..) X-DD. When CAP finishes the macro checkin, it has a count for the number of ge- nuine CAP macroz from the global template and another same count from the infected document. If the number of CAP macroz in the global template is less or equal than 10 (the number of english basic macroz) then the infec- tion (or re-infection) of the global template takes place. 4.2. Global template infection The infection of the Global template allows the macro virus to be loaded resident inside the Word aplication everytime the latter starts. Before in- fectin the Global template, CAP uses the comon trick of turnin off the Glo- bal template prompt warnin when is about to be saved on disk. Besides this, CAP also turns on FastSavin and AutoSavin, setin the AutoSave interval to 10 minutez. Then the copy of macroz take place. In the particular case of CAP, the virus infects the Global template by first copyin just the basic set of 10 english macroz from the infected document. If CAP would have co- pied all of the macroz contained in the infected document besides the en- glish onez, the resultz would have been a real nightmare for AV developerz. There would have been a mix of diferent localized language macro namez in- side CAP. The very first unedited and unreleased versionz of CAP worked this way but i decided to strip this feature off for technical reasonz that i will explain later. Continuin with the above hypothetical example, supose that a document was infected by CAP in an english version of Word. Now supose this document so- mehow travels and infects an italian version of Word. Now the virus would contain 15 macroz (10 english onez plus 5 italian onez). If the document now infects a german version of Word, there would be 20 macroz (10 english onez, 5 italian onez and 5 german onez). If the virus keeps spreadin this way thru other diferent localized versionz of Word, the number of macroz could easily reach 50 for a given document havin traveled all over the world and havin infected at least more than 8 diferent localized versionz of Word. Fortunately the only CAP version bein released doesnt work that way. Otherwise it would have been a big kick in the AVerz's assez. #8P 4.2.1. Searchin localized macroz While the latter aproach would have made sense in order to annoy AVerz, technically it would have been useless and worthless in the particular case of the Global template infection. Coz after the virus has copied the basic set of 10 english macroz, the followin step is to search the menu itemz for the current localized file related macroz and copy them to the Global tem- plate. After this step, suport for especific localized versionz of Word has been added without the need to copy all of the other localized macroz from the infected document. This conjunction of stepz prove to be more efective than the one discused in the hypothetical example described above. This way the maximum number of macroz in any infected or Global template will never exceed 15. In the past article "Macro virus trickz", point 3.1. (The "MultiLanguage suport" solution) and point 3.2 (The "MultiLanguage suport" example), the search and copy of localized file related macroz from the menu itemz is explained in full detail. This is the same aproach implemented in the CAP virus as the next chunk of code shows: A$ = MenuText$(0, 1) For I = CountMacros(1) To 1 Step - 1 J = 0 B$ = MacroName$(I, 1) Select Case MacroDesc$(B$) Case S$ + "O" J = 2 Case S$ + "C" J = 3 Case S$ + "S" J = 5 Case S$ + "SA" J = 6 End Select If J Then C$ = MenuItemMacro$(A$, 0, J) If Left$(UCase$(C$), Len(M$(J))) <> UCase$(M$(J)) And Left$(C$, 1) <> "(" Then MacroCopy F$ + ":" + B$, C$, K End If Next 4.2.2. Incremental generation count One feature that has not been mentioned before is the fact that CAP con- tains a "generation count". This count, unlike other previous macro virusez implementin generation countz, is stored in one of the viral macroz inside all CAP infected documentz, especificaly in the macro description field of the "ToolsMacro" macro. This generation count can be seen in two diferent wayz. Usin a hex editor to dump the contentz of an infected file and lookin for somethin like "F%n" where "n" is the generation count. Or enablin the "Tools/Macro" menu item from the "Tools" menu. If this menu item gets the focus, the macro description will be showed in the bottom left corner of the aplication window, revealin somethin like "F%5" where "5" in this case, is the generation count. It has been said that all of the CAP macroz are encrypted usin the "Execute Only" feature provided by Word. While this is certainly true for most of the CAP macroz, it is not true for the "ToolsMacro" macro. In other wordz, the "ToolsMacro" macro, which is empty, is never encrypted. U mite say this is clumsy, but it is not. The reason for this, is becoz if any macro is en- crypted, its macro description field cannot be modified. This wouldnt allow us to increment the generation count stored in the "ToolsMacro" macro des- cription field. But how do we increment this generation count? the followin piece of code answers the question: C$ = "F%" + LTrim$(Str$(Val(Mid$(MacroDesc$("ToolsMacro"), 3)) + 1)) ToolsMacro .Name = "ToolsMacro", .Show = 1, .Description = C$, .SetDesc The first line simply gets the "ToolsMacro" description field usin the "MacroDesc$" function, then discards the first two characterz ("F%") usin the "Mid$" function, then converts the remainder string to an integer usin the "Val" function, then increments the result by simply addin "1", then converts it back to a string usin the "Str$" function and finally concate- nates it with "F%" to obtain the final string containin the next incremen- ted generation count embeded with it. The second line in the above piece of code simply sets the new description for the "ToolsMacro" macro, containin the new incremented generation count. The generation count is incremented after the basic set of 10 english ma- croz have been copied to the Global template, as a result such count is in- cremented only once for each Word aplication infected with CAP. All newly created documentz, saved, closed or opened, will contain the same genera- tion count at the time the Global template was infected. 4.2.3. Removal of Tool itemz - stealth Perhapz one of the most known featurez of CAP is its ability to remove some key menu itemz from the "Toolz" menu. This has been a clue for AVerz. When- ever a Word user posted a mesage sayin his Toolz/Macro and Toolz/Customize menu itemz disapeared, there also apeared some AVer sayin: "You have the CAP virus". This feature has also proved to be very anoyin and frustratin among AVerz, as it complicates to some extent the complete and correct dis- infection of the Global "NORMAL.DOT" template, becoz userz of course, want their menu itemz back. In efect, some AV programz that are able to remove all of the CAP viral ma- croz from the Global template, would find themselvez a bit frustrated at their inability to properly fix the changez made by CAP to the Word menuz. Its pathetic readin the comon solution provided by most of these high tech AVerz in order to fix the problem. I still can hear them say: "Exit Word, delete NORMAL.DOT, Start Word, now the menu itemz are back". While this straightforward solution certainly works, it proves to be quite ineficient and exagerated as well. C'mon the fastest and most efective solution was at the "right click" of a mouse! Well, heh.. sometimez i think it is true some AVerz have 4 bugz playin cardz in their brainz :) This solution even worked on my Word 6.0 runin on Win3.1, not just Win95. Just in case u need the solution, its very simple: Right-click over some place at the toolbar, the Customize window box opens, select the "Menus" tab, push the "Reset All" buton then click OK, thats all. After these stepz the menu itemz "Toolz/Macro", "Toolz/Customize", etc, are back. However, no matter the first or second procedure is used if the user has made menu cus- tomizationz or added some butonz to his toolbar, they are lost after doin any of these stepz. There exists however a third solution not mentioned be- fore in which the user wont lose any of his customizationz except of course his own macroz (now deleted) if they existed. It consists of addin the lost menu itemz one by one usin the "Add" buton from inside the "Customize" win- dow box. Good enough, now lets continue with our stuff. The actual implementation of the macro code targeted to remove these menu itemz is very simple, but it certainly looks somewhat complicated and messy if u have a first look at the virus code itself: For I = 0 To 1 If I Then J = 1 Else J = 6 A$ = MenuText$(I, J) J = CountMenuItems(A$, I) - 1 For M = J To 1 Step - 1 If InStr(MenuItemMacro$(A$, I, M), "Macro") Then If I Then B$ = MenuItemMacro$(A$, I, M - 2) If UCase$(B$) <> UCase$(M$(9)) And Left$(B$, 1) <> "(" Then MacroCopy "ToolsMacro", B$, K Else M = M + 1 End If For T = M To M - 1 Step - 1 If T > 3 Then ToolsCustomizeMenus .MenuType = I, .Position = T, .Name = MenuItemMacro$(A$, I, T), .Menu = A$, .Remove, .Context = 0 Next M = 1 T = 0 End If Next Next This code starts by inspectionin each of the menu itemz from the "Toolz" menu from top to bottom, scanin each name for the word "Macro" inside them. If any of the menu itemz contains such word as part of its name, then CAP asumes it has found the position for the "Toolz/Macro" menu item inside the "Toolz" menu. If this condition is met, CAP deletes the actual menu item (Toolz/Customize). If the virus is searchin inside the "File" menu - with no documentz opened - (second step) and if the word "Macro" is found inside any of the menu itemz from such "File" menu, CAP removes the actual menu item (Toolz/Macro) and the "previous" one - not the next one - which in the case of the "File" menu (with no documentz opened), is really a "separator" itself startin with "(". If u are curious enough, u'll notice somethin in the above code not mentio- ned in the latter explanation. There is a "MacroCopy" function. This func- tion gets control when the "Filez" menu is bein scaned and the "Toolz/Ma- cro" item is found as well. Its sole purpose is to copy the "FileTemplatez" macro to the current localized macro name. If for some reason, the above stepz dont work, i.e. the "Toolz/Macro" menu item could not be found, for example in German versionz of Word where "Ma- cro" is spelled as "Makro", then another chunk of code is executed: A$ = MenuText$(1, 1) [...] J = CountMenuItems(A$, 1) - 1 [...] For I = 6 To J If Left$(MenuItemMacro$(A$, 1, I), 1) = "(" And Left$(MenuItemMacro$(A$, 1, I - 2), 1) = "(" Then For T = 1 To 3 Step 2 B$ = MenuItemMacro$(A$, 1, I - T) If Left$(B$, 1) <> "(" Then MacroCopy M$(T + 6), B$, K Next I = J End If Next This code actually tries to make some guessez about where the "Toolz/Macro" and "File/Templatez" menu itemz are located in the "File" menu (when no fi- lez are opened). If these checkz are passed then the "ToolsMacro" and "File Templates" macroz are copied to their respective localized macro namez. Un- fortunately after CAP was released i realized that the condition block for the "If" statement never met becoz of a certain detail i didnt realize. This is the reason why in German version of Word or in general in any other localized version where the word "macro" is not found in the menu itemz, there won't be an equivalent localized macro for "FileTemplates" nor "Tools Macro". Well what TF nobody's perfect! #8I. 4.3. Document, template and RTF infection It has been said that CAP, as with any other macro virus, infects Word do- cumentz and templatez. However what AVerz seem to have missed at all is the fact that CAP also infects documentz in RTF (Rich Text Format) layout. If AVerz argue that RTF filez cant contain macroz at all, they are certainly right. But hey, nothin stop us from convertin the RTF file into a Word tem- plate and then copy our macroz there! If so, the file will still have the RTF extension but will contain a template format inside. Here's the code: Dim D As FileSaveAs GetCurValues D If N < 10 And D.Format = 1 Or D.Format = 0 Or D.Format = 6 Then D.Format = 1 For I = CountMacros(0) To 1 Step - 1 B$ = MacroName$(I, 0) If B$ <> "ToolsMacro" Then K = - 1 Else K = 0 MacroCopy B$, F$ + ":" + B$, K Next FileSaveAs D End If The above code simply checks for 3 posible conditionz: if the file is a clean template, if the file is a document or if it has a RTF layout. If any of these conditionz is met, the object will become infected. The infection consists of copyin all the CAP macroz (english macroz plus localized ones if they exist) from inside the Global template to the object bein infected (DOT, DOC or RTF). Note in the "For" loop that when the macro name matches "ToolsMacro", it will be copied in unencrypted form (K=0) in order to keep the generation count alive. 4.4. Disablin of AutoMacroz Probably u have heard about some macro virusez bein able to "enable" Auto- Macroz just in case they have been turned off. A clear example is the Word- Macro.Colors virus which enables AutoMacroz each time the "Tools/Macro" me- nu item is activated. While this could have some benefitz, it could also add some drawbackz and dangerous efectz to our macro virus. If AutoMacroz are enabled, then any AutoMacro that had been turned off in any template will be reactivated. As a result, if the global template had an "AutoOpen" macro, it will be executed each time a new document is opened. However if the document about to be opened contains another "AutoOpen" macro, perhaps bein part of the same or "another" macro virus, then this latter macro will be executed "first" than the "AutoOpen" macro from inside the global tem- plate. This means that another "foreign" macro virus could be executed "first" without our knowledge! If survival is critical for our macro virus, then its quite obvios that en- ablin AutoMacroz should be avoided if posible. If another macro virus gets the control before ours, posibly by meanz of one of its AutoMacroz, then it could wipe away all of our own macroz from the global template, thus des- troyin and removin our macro virus. This is unavoidable and very likely to hapen if AutoMacroz are enabled, so u better think about it the next time u enable AutoMacroz. If our macro virus consists only of one single AutoOpen macro then disablin AutoMacroz will obviosly stop all chancez to spread our virus further, so thats perhaps a bad idea. However if our virus contains other macroz that could automaticaly be executed or activated by other user actionz such as keystrokez, file menu itemz, toolbar butonz, etc, then the "disablin" of AutoMacroz would prove to be a much more atractive and robust aproach as it will guarantee the survival of our macro virus. 4.5. The "SaveAs" problem solved Its kind of curious that the AVP virus description was the only one mentio- nin something about CAP bein able to "emulate" the "SaveAs" function, how- ever it ended up sayin the rubish inaccurate statement: "it writes an empty document to disk". While its worth from Kasper realizin about the "SaveAs" emulation its unforgivable for any AVer not knowin how Word templatez work. CAP, when emulatin the "SaveAs" function, doesnt write any "empty" document to disk, it rather creates a new clean document based on the active tem- plate, which is the infected document itself and as such it is not empty. Then CAP saves to disk the new document dependin on the users choice at the "SaveAs" dialog box and finally infects it. The whole purpose of all this, is just make the user happy by lettin him select the drive, file format and directory names when the "SaveAs" dialog box appears. In the article "Macro virus tricks", point 2 (The "SaveAs" problem), point 2.1 (The "SaveAs" solution) and point 2.2 (The "SaveAs" example), it is ex- plained in full detail how this "SaveAs" emulation can be achieved in order to solve the "SaveAs" problem. 5. Shortcutz (*) alt.comp.virus - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 > CAP.A is a fairly new Word Macro virus. The latest version of McAfee > should be able to clean it. If it doesn't, you might want to try > F-Macro from http://www.datafellows.com BTW, down here (Belgium, Luxembourg, France) and among our global customers, the CAP virus family has almost instantly become the most widespread virus we have ever met. Roughly 80% (yes eighty percent) of all our virus related tech support calls have been about that virus during the last two months. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 (*) alt.comp.virus - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 > L'accorgimento sembra proprio funzionare (il che mi fa supporre che sia > un virus del piffero, visto che si lascia aggirare cos facilmente), Non farti ingannare. Per essere un macro virus, il Macro.Word.Cap e' piuttosto complesso e contiene una tecnica innovativa che gli permette di bypassare le barriere poste dalla localizzazione di Word e quindi di intercettare delle macro sistema in molte versioni di Word che usano un linguaggio diverso dall'Inglese. Da un punto di vista prettamente tecnico, il Cap e' un virus tutt'altro che banale. In genere, il Normal.dot non e' mai protetto dalla scrittura, per cui i virus writer che scrivono macro virus hanno un approccio diverso rispetto a quello di chi scrive virus piu' "tradizionali". Non e' un caso se il Macro.Word.Cap e' ormai uno dei virus piu' diffusi in Italia, se non addirittura il piu' diffuso in assoluto nel nostro paese. > 2) che effetti provoca il macro virus CAP (ammesso che fosse quello), > oltre a cancellare la macro e a nascondere alcuni comandi di Word? Nulla di particolare. Il virus intercetta il comando di sistema FileSalvaConNome e controlla se viene utilizzato per scrivere documenti, modelli o file in formato Rich Text Format (RTF). In questi casi, converte il file in un modello e lo infetta. Come risultato si ottiene che un file salvato in formato RTF, che normalmente non contiene macro, sara' comunque infetto, dal momento che in realta' verra' salvato come modello. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 (*) http://www.geocities.com/SiliconValley/Heights/3652/F.HTM - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 Virus Alerts (based on messages posted to alt.comp.virus) 08-11-97: WM/CAP is becoming the most common virus 05-12-97: Hoax virus alert posted to several newsgroups 05-08-97: WM/Helper virus will put passwords on documents 04-27-97: Word Macro NPad virus in the wild - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 (*) http://www.sophos.com/virusinfo/topten/jul97.html - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 Top ten viruses reported to Sophos last month July 1997 virus top ten July 1997 This month Last month Name Percentage of reports 1 1 Winword/CAP 14.1% 2 5 Form 12.7% 3 3 Anticmos 8.5% 4 7 Winword/Concept 7.0% 5 8 Excel/Laroux 5.6% 5 15 New Zealand-i 5.6% 5 2 Parity Boot 5.6% 8 5 Winword/Npad 4.2% 9 3 CMOS4 2.8% 9 new Winword/Switchr 2.8% Others 31.1% - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 (*) http://www.itasa.com.mx/fprot/soporte/mexvir.htm - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 Los virus mas comunes en Mexico VIRUS CATEGORIA IDENTIFICABLE REMOVIBLE PROCEDIMIENTO CAP.A Macro s s F-POTATOE 2.27+ (Windows) 15 Years MBR s s* Fixdisk repair Concept Macro s s F-POTATOE (Windows) Wazzu Macro s s F-POTATOE (Windows) NPad Macro s s F-POTATOE (Windows) Implant MBR/com/exe s s F-IMPLAN (v. nota tc. #60) Monkey MBR s s F-potatoe /hard /disinf Byway com/exe s s** Ver nota tcnica #58 Natas MBR/com/exe s s F-potatoe /hard /disinf Boot.437 Boot s s Sys c: diskette. Exebug MBR s s F-potatoe /hard /disinf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 Btw, note that Implant (original name: SuckSexee), another virus written by a 29A member (GriYo), ranks sixth as the most widespread virus in Mexico. (*) http://www.dataalert.com/top.htm - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 Virussen Top 10 Data Alert International B.V. De meest gerapporteerde en voorkomende virussen in de BeNeLux. JULI-AUGUSTUS 1997 Rang Virusnaam Virustype 1. WM/Cap Macro 2. XM/Laroux Macro 3. Antiexe Boot 4. WM/Npad Macro 5. AntiCMOS.A Boot 6. WM/Concept Macro 7. Junkie Multi 8. Ripper Boot 9. NYB Boot 10. Parity.Boot Boot - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 (*) http://www.virusbtn.com/Prevalence/199708.html - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 VB Prevalence Table, August 1997 Virus Name Type Number of incidents Percentage CAP Macro 145 28.5% Concept Macro 51 10.0% NPad Macro 39 7.7% Dodgy Boot 26 5.1% Parity_Boot Boot 24 4.7% Form Boot 21 4.1% AntiEXE Boot 19 3.7% Temple Macro 16 3.1% Laroux Macro 15 3.0% Wazzu Macro 14 2.8% [...] Total: 508 100.0% - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8 6. Disclaimer This information is for educational purposez only. The author is not res- ponsible for any problemz caused by the use of this information. (c) 1997. Jacky Qwerty/29A.