| Caligula | |
|---|---|
| Type | Word macro virus |
| Creator | Opic |
| Date Discovered | 1998 |
| Place of Origin | United States |
| Source Language | Visual Basic |
| Platform | MS Word |
| File Type(s) | .doc |
| Infection Length | 1 macro module |
| Reported Costs | |
Caligula is a stealth Word Macro virus targeting Word 97 documents from 1999. It appeared in issue 5 of Codebreakers. Its most interesting feature is its ability to steal PGP keys and upload them to the Coadbreakers website.
Behavior
When an infected document is executed, Caligula hooks the Tools/Macro, Tools/Customize, View/Toolbar and View/statusbar menus. The Tools/Macro menu is greyed out and can't be accessed. While infecting files, it stores its code in the file "io.vxd" at the root of drive C:.
 |
|
| Caligula's property changes |
When starting its PGP key theft routine, it first checks for the presence of a registry key, "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info" with the value of "Caligula". If this is not present, it procedes. It checks then path containing PGP in the registry key "HKEY_CLASSES_ROOT\PGP Encrypted File\shell\open\command" to find the file Secring.skr. It saves this information in the file cdbrk.vxd, which is an FTP scripting file located at the root of drive C: and uploads the key to an FTP server located at the IP address 209.201.88.110 (formerly the Codebreakers website).
After it successfully gets the key, the Caligula adds the value "Caligula" to the registry key "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info" and sets it to "True", to ensure it does not upload multiple copies of the PGP key.
It will add the following properties to infected documents:
Author: Opic
Title: WM97/Caligula Infection
Subject: A Study In Espionage Enabled Viruses.
Comments: The Best Security Is Knowing The Other Guy Hasn't Got Any.
Keywords: | Caligula | Opic | CodeBreakers |On the 31st of every month, it displays the message box:
"WM97/Caligula (c)Opic [CodeBreakers 1998]
"No cia,"
"No nsa,"
"No satellite,"
"Could map our veins." |
|
| Caligula's 31st message |
Effects
Caligula did make it into the wild, but how widespread it became was never determined. The director of Network Associates said that the secret pass phrase would have to be compromised in order for Caligula to be an effective threat. After the apprearance of Caligula, Fred Cohen described Codebreakers as "Hostile" and called for their wrbsite to be shut down and the group prosecuted. In an article published in Issue 5 with Caligula, Codebreakers responded, calling Cohen "certifiable" and saying it would be more dangerous to drive their kind of work underground.
Origin
Caligula appeared in Issue 5 of Codebreakers magazine in 1998. It was written by Opic to show weaknesses in Office 97, Windows 9x, and PGP. Security researcher Joel McNamara predicted "espionage enabled" viruses that attack PGP in his book Practical Attacks on PGP, which Opic accepted as a challenge.
Other Facts
Word macro Hilite claims influence from this virus.
Sources
Opic. Codebreakers, Issue 5, Caligula (source code). 1999
Opic. Codebreakers, Issue 5, Introduction . 1999
Horny Toad. Codebreakers, Issue 5, "In the News"
Katrin Tocheva. F-Secure, Caligula.
Dina Gorin Glazer, MCSE. Macro Viruses.