This Word macro virus creates an infected file called DATA.DOC to the Word startup directory. While infecting files, it creates a temporary file called C:\GROOVIE.SYS and imports the code of the virus from it.
WM/Groovie is able to spread under the Word 97 SR-1 update, but it is not the first virus to be able to do this.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.
You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.
Groovie activates by displaying a message box with these texts:
ALT-F11 says It's GROOVIE
The virus also attempts to set the hard drive volume label to "groovie" and create a configuration information file with IPCONFIG and send the file to a ftp site over the internet.
After disinfecting the WM/Groovie virus, the hard drive volume label has to be restored manually back to original. Also, the temporary C:\GROOVIE.SYS file is not removed and has to be deleted manually. Do notice that GROOVIE.SYS is not infected and can not spread - it is just a temporary file used by the virus.
Description Details: Mikko Hypponen/F-Secure