| Description:
|
Details
Macro.Word97.Groovie
This virus contains twenty macros in one module "Groovie": ID_Status, Install_Status, The_Groovie_Core, DocCodeCore, NormCodeCore, OrbitCoreCode, Groovie_Run, AutoOpen, AutoClose, AutoExit, FileSaveAs, filesave, fileclose, fileprint, IP_Love_You, mscript, viewvbcode, ToolsMacro, FileTemplates, Check_For_Doc.
The virus infects the system or documents when auto-macro is activated. It infects the system not only by infecting the NORMAL.DOT file, but also by creating the infected DATA.DOT file in the Word Startup directory. The DATA.DOT file contains module named ORBIT. While infecting the virus uses VBA export/import functions and save/read virus code to/from temporary C:GROOVIE.SYS file.
The virus deletes the menus "Tools/Macro" and "Tools/Templates and add-insall". On entering the ViewVBCode menu the virus displays the MessageBox:
ò ALT-F11 ò says...
It's GROOVIE
It also sets the "groovie" label on the C: drive. On Windows NT depending on the random number the virus tries to create machine IP configuration to the C:IP.TXT file and sends it to FTP server of FRISK International anti-virus company (F-PROT). |
