Classification

Category :

Malware

Type :

Virus

Platform :

W97M

Aliases :

Caligula

Summary

W97M/Caligula is a Word macro virus that tries to attack against the popular PGP (Pretty Good Privacy) encryption program.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The virus spreads by keeping it's code in a file called c:\io.vxd.

The summary information of infected documents is changed to this:


 Title:

WM97/Caligula Infection
 Subject:
A Study In Espionage Enabled Viruses
 Author:
 Opic
 Keywords: / Caligula / Opic / Codebreakers /
 Comments: The Best Security Is Knowing The Other Guy Hasn't Got Any

The virus hooks the Tools/Macro, Tools/Customize, View/Toolbar and View/statusbar menus. The Tools/Macro menu is greyed out and can't be accessed.

On 31st of each month the virus shows a dialog with this message:


 WM97/Caligula (c) Opic [CodeBreakers 1998]
No cia,
 No nsa,
 No satellite,
 Could map our veins.

The really nasty part of the virus is related to PGP: the virus locates the secret keyring file of PGP (SECRING.SKR) and tries to send it with FTP to a site in the codebreakers.org domain (which is known virus exchange site). To send the key the virus creates temporary file called c:\cdbrk.vxd.

If the attacker can break the passphrase, he can then open PGP encrypted files sent to this user.

This is quite serious as passphrases are the weakest known link today in public key cryptography such as PGP. Also, people very commonly use too weak passphrases. With a copy of the keyring, massive brute-force attacks are possible for any period of time - and the user may not even know if a copy has been made of the keyring.