WM/CAP is one of the most common viruses in the world.
For more information on macro viruses, see WM/Concept.
Disinfection & Removal
F-Secure anti-virus products disinfect CAP.A. This is done by deleting all macros in the file - there is no way to restore the original macros which were deleted by the virus. If you had your own macros in your NORMAL.DOT, restore a clean copy from backups.
If you have a sample which was detected by F-PROT Professional 2.26 but is not detected by 3.0, don't worry. We changed the detection to be more exact in 3.0 - in some cases older versions detected versions of CAP which were disinfected manually.
CAP is a complex Word macro virus. It consists of several encrypted macros: CAP, AutoExec, AutoOpen, FileSave, FileSaveAs, FileTemplates, ToolsMacro, FileClose, FileOpen and AutoClose.
The virus contains these texts in comments:
'C.A.P: Un virus social.. y ahora digital.. '"j4cKy Qw3rTy" (firstname.lastname@example.org). 'Venezuela, Maracay, Dic 1996. 'P.D. Que haces gochito ? Nunca seras Simon Bolivar.. Bolsa !
When infecting Word, CAP modifies up to five already-existing menus, redirecting them to the virus code. This creates some problems, as the names of the modified entries are different in different Word installations and different language versions of Word.
One effect of CAP is that all documents are saved in the Word DOC format, regardless of the format you choose. So, for example, if a document is saved as an RTF file, the extension of the document will become RTF but internally the file is still a DOC and does still contain the virus. Normal RTF files do not contain macros at all and are unable to spread macro viruses.
When CAP infects documents, it deletes all existing macros from them. Otherwise CAP does not do anything destructive. However, it does remove the Tools/Macro and Tools/Customize menus and disables File/Templates menu in order to protect itself.
WM/CAP.A was reported in the wild in several countries in 1997. It's probably related to the WM/Rapi virus.
WM is an abbreviation for WordMacro. This abbreviation is used by Dr. Solomon's antivirus toolkit.
".dam" is an abbreviation for "damaged". This abbreviation is used by Dr. Solomon's antivirus toolkit. Files reported to contain the "WM/CAP.dam" virus are actually documents which have been infected once by CAP but are corrupted or have had the CAP macro deleted. Often such files still contain some macros of the virus, but might not spread. F-Secure anti-virus products do not detect such files separately, as they are considered to be new variants of the virus.
If you want to get rid of the macros, you can copy the texts of the document to a new file or use F-Secure Anti-Virus for DOS with /DISINF /REMOVEALL options on this file.
Description Created: Mikko Hypponen, F-Secure