Groove Virus


 Virus Name:  Groove 
 Aliases:    
 V Status:    Rare 
 Discovered:  June, 1992 
 Symptoms:    .COM & .EXE growth; decrease in total system & available free 
              memory; deletes/corrupts anti-viral program data files; 
              file date/time changes; programs don't function properly; 
              boot failures 
 Origin:      Germany 
 Eff Length:  3,646 - 3,708 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM &.EXE Infector 
 Detection Method:  ViruScan, F-Prot, AVTK, ChAV, 
                    Sweep, IBMAV, NAV, NAVDX, VAlert, PCScan, 
                    Sweep/N, Innoc, AVTK/N, NAV/N, NProt, IBMAV/N, NShld, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Groove virus was received in June, 1992.  It was originally 
       isolated in Germany, where it is reported to be in the public 
       domain.  Groove is a memory resident infector of .COM and .EXE 
       programs which uses a slightly modified version of the Dark 
       Avenger Mutation Engine (DAME) for encryption. 
 
       When the first program infected with the Groove virus is executed, 
       Groove will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary.  It will have hooked 
       interrupt 21. 
 
       Once the Groove virus is memory resident, it will infect .COM 
       programs, including COMMAND.COM, when they are executed.  It will 
       also infect .EXE programs, but only very small ones.  Infected 
       programs will have a file length increase of 3,646 to 3,708 bytes. 
       The virus will be located at the end of the file.  The program's date 
       and time in the DOS disk directory listing will have been updated to 
       the current system date and time when infection occurred. 
 
       The Groove virus contains the following text strings, though they 
       are usually encrypted in infected programs so that they are not 
       visible: 
 
               "Dont wory, you are not alone at this hour... 
                ThisVirus is NOT dedicated to Sara 
                its dedicated to her Groove (...Thats my name) 
                This Virus is only a test Virus there for 
                be ready for my   Next  Test   ...." 
 
               "C:\NAV_._NO C:\NOVIRCVR.CTS C:\NOVIPERF.DAT 
                C:\CPAV\CHKLIST.CPS C:\TOOLKIT\FILES.LST 
                C:\UNTOUCH\UT.UT1 C:\UNTOUCH\UT.UT2 C:\VS.VS" 
 
       The second set of text above are the names of data files for the 
       following anti-viral utilities which have been targetted by the 
       author of this virus:  Symantec's Norton Anti-Virus, Certus' Novi, 
       Central Point Anti-Virus, Dr. Solomon's Anti-Viral Toolkit, 
       Fifth Generation Systems' Untouchable, and XTree's ViruSafe.  The 
       virus will attempt to corrupt or delete these datafiles if they 
       are present.  
 
       Besides the deletion or other corruption of the above indicated 
       data files, systems infected with the Groove virus will have 
       difficulty executing infected programs.  Infected programs will 
       usually not function properly, giving unpredictable results.  If 
       COMMAND.COM becomes infected, boot failures may also occur. 
 
       See:   DAME   Pogue

Show viruses from discovered during that infect .

Main Page