W97M.Groov is an MS Word 97 macro virus. When an infected document is opened, the virus gets control and checks to see if the global template [NORMAL.DOT] is already infected. If it is not, the virus infects it. Once the virus has installed itself, each Word document being opened, closed, saved or printed becomes infected. The virus disables Word's built-in facilities to view or edit macros. 
 

Symptoms of the Virus

The virus uses a temporary file C:\GROOVIE.SYS and re-label drive C to GROOVIE. It also adds a template file, DATA.DOT, into the MS Word startup directory, which is usually set to:

C:\Program Files\Microsoft Office\Office\STARTUP. 

Accessing Tools-Macro-VisualBasicEditor brings a message box titled " ò ALT-F11 ò says... " with the message: "It's GROOVIE". Another payload re-labels the C: drive to Groovie. This payload is done after infecting Global Template. The virus also adds a comment in the document property: "ALT-F11 says it's groovie!"
 

To Remove the Virus (on a Windows 95/98 system)

1. Terminate Internet connection and close any open programs.

For the following, go to Start, Find, Files or Folders.

1. Do a find for DATA.DOT Delete this file.

 
2. Do a find for GROOVIE.SYS Delete this file.

 
3. Do a find for SCRIPT.SYS Delete this file if found.

 
4. Do a find for IP.TXT Delete this file if found.

 
5. Do a find for the NORMAL.DOT Once found, look for the path underneath "In Folder". The path will probably be C:\MSOffice\Templates Remember this path.

 
6. Close the File Finder. Double click on My Computer. Double click on Sys on Stetson. Double click on the folder called Public. Look for the file called Normal.dot Once found, click on it once to highlight it, go to Edit, Copy. (This is for Office 97 only) You can now close this window.

 
7. Go to Start, Programs, Windows Explorer. Once Windows Explorer opens, scroll to the top on the left side window. Click once on C:

 
8. Look for the folder called MSOffice. Click once on this folder and on the right you will see several more folders. Double click on the one called Templates. Go to Edit, Paste.

 
9. When asked if you would like to replace the file, say yes. You can now close this window.

 
10. Double click on My Computer. Click once on the C Drive to highlight it. Go to File, Properties. When the Properties box appears, you can delete the label of Groovie and leave this blank. This re-labels the hard drive back to C.

 
11. Empty the recycle bin.

 
12. Re-boot.

If you have, or think you have been infected with any type of virus or trojan program please contact your desktop consultant or the security staff to report your instance so that we can help to prevent others from also being infected.