| CAP | |
|---|---|
| Type | Macro virus |
| Creator | Jacky Qwerty |
| Date Discovered | 1996.12 |
| Place of Origin | Maracay, Venezuela |
| Source Language | Visual Basic for Applications |
| Platform | MS Word |
| File Type(s) | .doc |
| Infection Length | 10 Macro modules |
| Reported Costs | |
CAP is an encrypted Word macro virus. It comes from Venezuela, created by Jacky Qwerty, who joined the 29A virus coding group shortly after he coded this one. It appeared in issue 2 of 29A magazine.
Behavior
The CAP virus consists of 10 or 15 macros, depending on the language version of Word. If it infect a computer on the English version, it will consist of the following ten macros:
- CAP
- AutoExec
- AutoOpen
- FileOpen
- AutoClose
- FileSave
- FileSaveAs
- FileTemplates
- ToolsMacro
- FileClose
On a non-English version of Word, it creates an additional five, which are simply copies of the last five on the above list. When an infected file is opened, CAP removes the macros in NORMAL.DOT and replaces them with its own. It removes the options of Macros and Customize under the Tools drop menu, as well as Templates under file. If there is an icon on the toolbar, it will still be there, but it will not function.
When the macros are decrypted, the following text can be seen:
'C.A.P: Un virus social.. y ahora digital..
'"j4cKy Qw3rTy" (jqw3rty@hotmail.com).
'Venezuela, Maracay, Dic 1996.
'P.D. Que haces gochito ? Nunca seras Simon Bolivar.. Bolsa !This translates into: "'C.A.P: A social virus, and now a digital one. (The next two lines are about the creator and the time and location of the virus's creation.) PS, What are you doing little cowboy? You will never be Simon Bolivar! Stupid!
CAP is unable to function in Word version 97 and above.
Variants
Like a number of macro viruses of its time, CAP produced a very high number of variants, most are too similar to the original to merit mention. One variant, Capcop is a complete rewrite of the original, and some antivirus products detect it as a different family.
Effects
CAP became pretty wide spread in the western hemisphere. It reached New Jersey by May of 1997. It had reportedly spread around the whole world within weeks of its release.
Origin
CAP was coded in Venezuela by Jacky Qwerty and appeared in 29A magazine. It was written in Visual Basic for Applications.
Sources
Jacky Qwerty. 29A Zine, Issue 2, WordMacro.CAP
Nikolai Bezroukov. Softpanorama, The CAP Macro virus. 1997.07.08
Vesselin Bontchev. Frisk Software, Macro Virus Identification Problems.
Lord Julus. Interview with Jacky Qwerty. 1999.08
LocalSpanish, Slang term from Venezuela "bolsa".