Class Virus
Platform MSWord

Technical Details

This virus contains twenty macros in one module “Groovie”: ID_Status,
Install_Status, The_Groovie_Core, DocCodeCore, NormCodeCore, OrbitCoreCode,
Groovie_Run, AutoOpen, AutoClose, AutoExit, FileSaveAs, filesave,
fileclose, fileprint, IP_Love_You, mscript, viewvbcode, ToolsMacro,
FileTemplates, Check_For_Doc.

The virus infects the system or documents when auto-macro is activated. It
infects the system not only by infecting the NORMAL.DOT file, but also by
creating the infected DATA.DOT file in the Word Startup directory. The
DATA.DOT file contains module named ORBIT. While infecting the virus uses
VBA export/import functions and save/read virus code to/from temporary

The virus deletes the menus “Tools/Macro” and “Tools/Templates and
add-ins…”. On entering the ViewVBCode menu the virus displays the

ò ALT-F11 ò says…

It also sets the “groovie” label on the C: drive. On Windows NT depending
on the random number the virus tries to create machine IP configuration to
the C:IP.TXT file and sends it to FTP server of FRISK International
anti-virus company (F-PROT).

Find out the statistics of the threats spreading in your region