Rapi can generate different forms of itself, se all of the above
macros are not necessarily always present in infected files.
Rapi hooks the Tools/Macro and Tools/Customize menus. If they are
accessed, the virus spreads further and displays a messagebox like
Fail on step 29296
Sometimes the virus also activates when File/Open menu is accessed. At
this time it can display a messagebox like this:
Thank's for joining with us !
Sometimes the virus drop a text file called C:\BACALAH.TXT. This file
contains this text:
Assalamualaikum . . ., maaf @Rapi.Kom . . .
Rapi might be related to the CAP virus. Rapi has been reported to be
in the wild internationally.
[Analysis: Mikko Hypponen, F-Secure]