Summary

For more information macro viruses, see the description of WordMacro/Concept.

Rapi is a Word macro virus consisting of several macros: AUTOOPEN, RPAE, RPFS, RPFSA, RPFO, RPTC, RPTM, RPAO, FILESAVE, RPFS, FILESAVEAS, FILEOPEN, TOOLSCUSTOMIZE, TOOLSMACRO.

Additional Details

Rapi can generate different forms of itself, se all of the above macros are not necessarily always present in infected files.

Rapi hooks the Tools/Macro and Tools/Customize menus. If they are accessed, the virus spreads further and displays a messagebox like this:

         Err@#*(C)

         Fail on step 29296

         OK

Sometimes the virus also activates when File/Open menu is accessed. At this time it can display a messagebox like this:

         @Rapi.Kom

         Thank's for joining with us !

         OK

Sometimes the virus drop a text file called C:\BACALAH.TXT. This file contains this text:

         Assalamualaikum . . ., maaf @Rapi.Kom . . .

Rapi might be related to the CAP virus. Rapi has been reported to be in the wild internationally.

[Analysis: Mikko Hypponen, F-Secure]