Type Word macro virus
Creator Opic
Date Discovered 1998
Place of Origin United States
Source Language Visual Basic
Platform MS Word
File Type(s) .doc
Infection Length 1 macro module
Reported Costs

Caligula is a stealth Word Macro virus targeting Word 97 documents from 1999. It appeared in issue 5 of Codebreakers. Its most interesting feature is its ability to steal PGP keys and upload them to the Coadbreakers website.


When an infected document is executed, Caligula hooks the Tools/Macro, Tools/Customize, View/Toolbar and View/statusbar menus. The Tools/Macro menu is greyed out and can't be accessed. While infecting files, it stores its code in the file "io.vxd" at the root of drive C:.

When starting its PGP key theft routine, it first checks for the presence of a registry key, "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info" with the value of "Caligula". If this is not present, it proceeds. It checks then path containing PGP in the registry key "HKEY_CLASSES_ROOT\PGP Encrypted File\shell\open\command" to find the file Secring.skr. It saves this information in the file cdbrk.vxd, which is an FTP scripting file located at the root of drive C: and uploads the key to an FTP server located at the IP address (formerly the Codebreakers website).

Caligula's property changes

After it successfully gets the key, the Caligula adds the value "Caligula" to the registry key "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info" and sets it to "True", to ensure it does not upload multiple copies of the PGP key.

It will add the following properties to infected documents:

      Author:     Opic
      Title:      WM97/Caligula Infection
      Subject: A Study In Espionage Enabled Viruses.
      Comments: The Best Security Is Knowing The Other Guy Hasn't Got Any.
      Keywords: | Caligula | Opic | CodeBreakers |

On the 31st of every month, it displays the message box:

      "WM97/Caligula (c)Opic [CodeBreakers 1998]
      "No cia,"
      "No nsa,"
      "No satellite,"
      "Could map our veins."


Caligula did make it into the wild, but how widespread it became was never determined. The director of Network Associates said that the secret pass phrase would have to be compromised in order for Caligula to be an effective threat. After the appearance of Caligula, Fred Cohen described Codebreakers as "Hostile" and called for their website to be shut down and the group prosecuted. In an article published in Issue 5 with Caligula, Codebreakers responded, calling Cohen "certifiable" and saying it would be more dangerous to drive their kind of work underground.


Caligula appeared in Issue 5 of Codebreakers magazine in 1998. It was written by Opic to show weaknesses in Office 97, Windows 9x, and PGP. Security researcher Joel McNamara predicted "espionage enabled" viruses that attack PGP in his book Practical Attacks on PGP, which Opic accepted as a challenge.

Caligula's 31st message

Other Facts

Word macro Hilite claims influence from this virus.


Opic. Codebreakers, Issue 5, Caligula (source code). 1999

Opic. Codebreakers, Issue 5, Introduction . 1999

Horny Toad. Codebreakers, Issue 5, "In the News"

Katrin Tocheva. F-Secure, Caligula.

Dina Gorin Glazer, MCSE. Macro Viruses.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License