WM/CAP
| WM/CAP |
Destructivity:  Spreading:  Overall risk:
|
| • Detected by virus detection files published: 11/15/2001 | • Type: Virus |
| • Virus characteristics first published: 11/15/2001 | • Spreading mechanism: File Infection |
| • Virus characteristics latest update: 12/17/2003 | • Overall risk: Low |
| • Infection type: Microsoft Word 6.x/7.x/95 |
| Virus type |
Spreading mechanism |
Destructivity and payload |
Additional descriptions |
Detection and removal |
||||||||||
|
Before infecting a document the virus will delete all macros in NORMAL.DOT and other templates. The macro virus CAP consists of ten different macros. These are stored encrypted in the infected documents. The virus is activated when Auto and System macros are used. These macros are:
The macro virus also has a "stealth" function which hides/disables some menu choices when the global template NORMAL.DOT is infected: Tools|Macro is removed from the menu choices Tools|Customize is removed from the menu choices File|Templates is disabled. Nothing happens when this is selected from the menu. The menu choices will be restored when NORMAL.DOT is cleaned or restored. (To restore NORMAL.DOT, delete it and restart Word. Word will then create a new NORMAL.DOT. You may also get a clean NORMAL.DOT from a backup copy if you have such.) WM/CAP inserts this text in the macro code:: C.A.P: Un virus social.. y ahora digital. j4cKy Qw3rTy (jqw3rty@hotmail.com). Venezuela, Maracay, Dic 1996. P.D. Que haces One of the results of an infection by the CAP virus is that documents are stored internally as DOT files, whatever you choose to store them as. Example: If you store a document as a RTF file, the document's extensions is RTF, but it will be stored internally as a DOT file and will still have the virus (RTF files can normally not be infected by macro virus.). |
||||||||||||||