CAP

CAP is a macro virus which is very common. It travels as an execute-only CAP macro. It runs when you perform any operation on the file(opening, closing, saving).

CAP consists of the macros CAP, FileSave, FileSaveAs, FileOpen, FileClose AutoOpen, AutoExec, ToolsMacro, FileTemplates, and AutoClose.

CAP is a large, complex macro that contains all the commands the other macros use. It contains the comments:

C.A.P: Un virus social.. y ahora digital..
"j4cKy Qw3rTy" (jqw3rty@hotmail.com).
Venezuela, Maracay, Dic 1996.
P.D. Que haces gochito ? Nunca seras Simon Bolivar.. Bolsa !

Roughly Translated:

C.A.P: A social virus.. now a digital one..
"j4cKy Qw3rTy" (jqw3rty@hotmail.com).
Venezuela, Maracay, Made 1996.
P.S. Whatcha doing jerk ? You'll never be Simon Bolivar.. Clown !

It gets the names of the macros it uses from the menus so its macros don't always have the same name. This allows it to work on any language version of Word. It keeps the English language macros on foreign language Word versions so the number of the macros and their names can vary.

CAP deletes any macro that is not part of itself. It recognizes its own macros because their descriptions start with "F%". The description for macros are:

FileClose F%C

FileOpen F%O

FileSaveAs F%SA

FileSave F%S

ToolsMacro F%{number}

Others F%

The description for ToolsMacro keeps track of the number of times CAP has replicated. Also, CAP is careful not to make ToolsMacro execute-only.

CAP turns off Prompt to Save NORMAL.DOT, turns on Fast Saves, and turns on Auto Save for every 10 minutes.

It also deletes the Tools/Macro and the Tools/Customize menu items. File/Templates will not be deleted but nothing will happen when it is chosen.

If you try to use FileSaveAs, and the file is infected, then CAP will create a new document with the same text and same name as the old one. This is to prevent the user from realizing that the file is actually a template.

Because most of the code is stored inside the macro called CAP, CAP can still function if most of the other macros are damaged. If some of the macros are damaged, they will produce a message like "WordBasic Error".

Some sites say CAP is most closely related to the Rapi virus. However, it is most related to the Colors virus. Because of all the things CAP does, some methods effective against other macro viruses are ineffective against CAP. Here are some examples:

Ineffective advice: Reason:

Use Microsoft's MVTOOL/ScanProt CAP deletes macros that aren't a part of itself so it deletes ScanProt

Choose ToolsMacro and delete the macros CAP deletes the ToolsMacro menu item

Use DisableAutoMacros CAP can still get control from FileOpen, FileClose, FileSave and FileSaveAs

Turn on Prompt to Save NORMAL.DOT CAP turns it off

Save the documents in Rich Text Format CAP will give them the RTF extension but they will actually be infected templates.

Delete NORMAL.DOT/Make it read-only CAP will still have infected all your Word Documents and can spread to other Word documents

Download Anti-Macro Virus program.

Information about macro viruses.

Virus Page

FileClose	F%C
FileOpen	F%O
FileSaveAs	F%SA
FileSave	F%S
ToolsMacro	F%{number}
Others	F%

Ineffective advice:	Reason:
Use Microsoft's MVTOOL/ScanProt	CAP deletes macros that aren't a part of itself so it deletes ScanProt
Choose ToolsMacro and delete the macros	CAP deletes the ToolsMacro menu item
Use DisableAutoMacros	CAP can still get control from FileOpen, FileClose, FileSave and FileSaveAs
Turn on Prompt to Save NORMAL.DOT	CAP turns it off
Save the documents in Rich Text Format	CAP will give them the RTF extension but they will actually be infected templates.
Delete NORMAL.DOT/Make it read-only	CAP will still have infected all your Word Documents and can spread to other Word documents