What is the Groovie macro virus?

Question

Hi

About half an hour ago I sent a message requesting help on the Groovy virus. I have since found out that the virus causing the problem is a macro virus called "GROOVIE".

we have scanned the hard disc with a virus scanner and hopefully cleaned it, but should anything else be done to remove the virus?

Thaks again for this wonderful service

Chris Aiton

Answer

This question was answered on August 22, 1999. Much of the information contained herein may have changed since posting.

The following is taken from the Mcafee web site FYI concerning the Groovie macro virus, thank you for contacting us.

Virus Profile

Virus Name

W97M/Groov.A

Date Added

3/1/98

Virus Characteristics

W97M/Groov.a is a Microsoft Word for Windows 97 macro virus designed specifically to replicate even under Office 97 Service Release 1, whose anti-virus features stop most of the existing macro viruses W97M/Groov.a is the first `in the wild' Word for Windows 97 macro virus which is able to spread under MS Office 97 Service Release 1

The virus contains the following macros:

AutoOpen, AutoClose, AutoExit, FileSaveAs, filesave, FilePrint, ViewVBCode, ToolsMacro, FileTemplates, ID_Status, Install_Status, Yhe_Groovie_Core, DocCodeCore, NormCodeCore, OrbitCodeCore, Groovie_Run, IP_Love_You, mscript and Check_For_Doc

When an infected document is opened, the virus gets control [via AutoOpen] and checks to see if the global template [NORMAL.DOT] is already infected If it is not, the virus infects it The virus also creates an infected template, called DATA.DOT, in the Word for Windows STARTUP directory [from which templates are loaded when Word is started] This ensures that the system remains infected, even if [the infected] NORMAL.DOT is deleted or replaced with a clean copy

Once the virus has installed itself, each Word document being opened, closed, saved or printed becomes infected

On an infected system, the file GROOVIE.SYS is found in the root directory of drive C [C:\GROOVIE.SYS] This file contains the virus source code and is used by the virus when it replicates

The virus changes the volume label of drive C to 'Groovie' In addition, with a probability of 1/5th whenever a document is being accessed, the virus can initiate an FTP session to `complex.is' [the home to Frisk Software International] and send the user's IP configuration there This could be an attempt at a `denial of service' attack against this anti-virus site by overloading it with multiple simultaneous FTP sessions

The virus disables Word's built-in facilities to view or edit macros This is not exactly a stealth feature since, when an attempt is made to view the virus macros [by using Tools | Macro, or for the VBA editor], the virus reveals itself by displaying a message-box with the words It's GROOVIE!

The W97M/Groov.b variant is slightly polymorphic When the virus spreads, it inserts pseudo-random comments between every two lines of its code Unlike W97M/Groov.a, the .b variant does not include the FTP payload

Our advice in the future:

To avoid contracting one of the many "Macro Viruses" that affect Microsoft Word and Excel, press the shift while opening a file in either program to temporarily disable any Macros that are embedded in the file and avoid getting "Hit" with one of these Viruses!

Need Help with this Issue?

We help people with technology! It's what we do.
Schedule an Appointment with a location for help!

Author

Posted by Ken of Data Doctors on August 22, 1999