F-Secure Virus Descriptions : Caligula
W97M/Caligula is a Word macro virus that tries to attack against
the popular PGP (Pretty Good Privacy) encryption program.
The virus spreads by keeping it's code in a file called c:\io.vxd.
The summary information of infected documents is changed to this:
Title: WM97/Caligula Infection
Subject: A Study In Espionage Enabled Viruses
Author: Opic
Keywords: / Caligula / Opic / Codebreakers /
Comments: The Best Security Is Knowing The Other
Guy Hasn't Got Any
The virus hooks the Tools/Macro, Tools/Customize, View/Toolbar and
View/statusbar menus. The Tools/Macro menu is greyed out and can't
be accessed.
On 31st of each month the virus shows a dialog with this message:
WM97/Caligula (c) Opic [CodeBreakers 1998]
No cia,
No nsa,
No satellite,
Could map our veins.
The really nasty part of the virus is related to PGP: the virus
locates the secret keyring file of PGP (SECRING.SKR) and tries to send
it with FTP to a site in the codebreakers.org domain (which is known
virus exchange site). To send the key the virus creates temporary file
called c:\cdbrk.vxd.
If the attacker can break the passphrase, he can then open PGP
encrypted files sent to this user.
This is quite serious as passphrases are the weakest known link today
in public key cryptography such as PGP. Also, people very commonly use
too weak passphrases. With a copy of the keyring, massive brute-force
attacks are possible for any period of time - and the user may not
even know if a copy has been made of the keyring.
[Analysis: Katrin Tocheva, F-Secure]
|
![](/images/pixel.gif"){kind=tracking}
