This is a newly discovered Word97 macro virus which uses an export to file/import from file method of infection. The hosting file for the virus code is 'c:\io.vxd'.
This virus uses an AUTOCLOSE macro, with a module name of CALIGULA
This virus modifies documents/templates infected with these properties-
Title: 'WM97/Caligula Infection'
Subject: 'A Study In Espionage Enabled Viruses.'
Comments: 'The Best Security Is Knowing The Other Guy Hasn't Got Any.'
Keywords: ' | Caligula | Opic | CodeBreakers | '
disables macro warning, prompt to save normal.dot, confirmation to convert
disables ToolsMacro, VB Editor
disables menu items ToolsMacro, ToolsCustomize, ViewToolbars
on the 31st of month displays message box.
If user name is not 'Caligula', runs PGP Secure Keyring find and send routine - user name retrieved from registry
'HKCU\Software\Microsoft\MS Setup (ACME)\User Info'
Searches for PGP Secure Keyring using registry entry to get PGP installed path
If key does not exist, exits otherwise searches for 'Secring.skr' in PGP path
If file found, file is uploaded to the virus author's ftp site using a script file written as 'c:\cdbrk.vxd' and using ftp.exe in a hidden process
The computer user name is set to 'Caligula'