Virus.MSWord.Groovie

Class Virus
Platform MSWord
Description

Technical Details


This virus contains twenty macros in one module “Groovie”: ID_Status,
Install_Status, The_Groovie_Core, DocCodeCore, NormCodeCore, OrbitCoreCode,
Groovie_Run, AutoOpen, AutoClose, AutoExit, FileSaveAs, filesave,
fileclose, fileprint, IP_Love_You, mscript, viewvbcode, ToolsMacro,
FileTemplates, Check_For_Doc.


The virus infects the system or documents when auto-macro is activated. It
infects the system not only by infecting the NORMAL.DOT file, but also by
creating the infected DATA.DOT file in the Word Startup directory. The
DATA.DOT file contains module named ORBIT. While infecting the virus uses
VBA export/import functions and save/read virus code to/from temporary
C:GROOVIE.SYS file.


The virus deletes the menus “Tools/Macro” and “Tools/Templates and
add-ins…”. On entering the ViewVBCode menu the virus displays the
MessageBox:


ò ALT-F11 ò says…
It’s GROOVIE

It also sets the “groovie” label on the C: drive. On Windows NT depending
on the random number the virus tries to create machine IP configuration to
the C:IP.TXT file and sends it to FTP server of FRISK International
anti-virus company (F-PROT).