WM/CAP is one of the most common viruses in the world.
For more information on macro viruses, see WM/Concept.
CAP is a complex Word macro virus. It consists of several encrypted
macros: CAP, AutoExec, AutoOpen, FileSave, FileSaveAs, FileTemplates,
ToolsMacro, FileClose, FileOpen and AutoClose.
The virus contains these texts in comments:
'C.A.P: Un virus social.. y ahora digital..
'"j4cKy Qw3rTy" (jqw3rty@hotmail.com).
'Venezuela, Maracay, Dic 1996.
'P.D. Que haces gochito ? Nunca seras Simon Bolivar.. Bolsa !
When infecting Word, CAP modifies up to five already-existing menus,
redirecting them to the virus code. This creates some problems, as the
names of the modified entries are different in different Word
installations and different language versions of Word.
One effect of CAP is that all documents are saved in the Word DOC
format, regardless of the format you choose. So, for example, if a
document is saved as an RTF file, the extension of the document will
become RTF but internally the file is still a DOC and does still
contain the virus. Normal RTF files do not contain macros at all and
are unable to spread macro viruses.
When CAP infects documents, it deletes all existing macros from them.
Otherwise CAP does not do anything destructive. However, it does
remove the Tools/Macro and Tools/Customize menus and disables
File/Templates menu in order to protect itself.
F-Secure anti-virus products disinfect CAP.A. This is done by
deleting all macros in the file - there is no way to restore the
original macros which were deleted by the virus. If you had your own
macros in your NORMAL.DOT, restore a clean copy from backups.
If you have a sample which was detected by F-PROT Professional 2.26
but is not detected by 3.0, don't worry. We changed the detection to
be more exact in 3.0 - in some cases older versions detected versions
of CAP which were disinfected manually.
WM/CAP.A was reported in the wild in several countries in 1997. It's
probably related to the WM/Rapi virus.
WM is an abbreviation for WordMacro. This abbreviation is used by
Dr. Solomon's antivirus toolkit.
".dam" is an abbreviation for "damaged". This abbreviation is used by
Dr. Solomon's antivirus toolkit. Files reported to contain the
"WM/CAP.dam" virus are actually documents which have been infected
once by CAP but are corrupted or have had the CAP macro deleted.
Often such files still contain some macros of the virus, but
might not spread. F-Secure anti-virus products do not detect such
files separately, as they are considered to be new variants of the virus.
If you want to get rid of the macros, you can copy the texts of the
document to a new file or use F-Secure Anti-Virus for DOS with
/DISINF /REMOVEALL options on this file.
[Analysis: Mikko Hypponen, F-Secure]
