Summary

This Word macro virus creates an infected file called DATA.DOC to the Word startup directory. While infecting files, it creates a temporary file called C:\GROOVIE.SYS and imports the code of the virus from it.

WM/Groovie is able to spread under the Word 97 SR-1 update, but it is not the first virus to be able to do this.

Additional Details

Groovie activates by displaying a message box with these texts:

        ALT-F11 says
        It's GROOVIE

The virus also attempts to set the hard drive volume label to "groovie" and create a configuration information file with IPCONFIG and send the file to a ftp site over the internet.

After disinfecting the WM/Groovie virus, the hard drive volume label has to be restored manually back to original. Also, the temporary C:\GROOVIE.SYS file is not removed and has to be deleted manually. Do notice that GROOVIE.SYS is not infected and can not spread - it is just a temporary file used by the virus.

[Mikko Hypponen/F-Secure]