Groove | |
---|---|
Type | File virus |
Creator | |
Date Discovered | 1992.06 |
Place of Origin | Germany |
Source Language | |
Platform | DOS |
File Type(s) | .com, .exe |
Infection Length | 3,646 to 3,708 bytes |
Reported Costs |
Groove is a DOS file virus from Germany. It uses a modified version of the Dark Avenger Mutation Engine for encryption. It is the first virus to use the engine to infect .exe files.
Behavior
When a Groove infected file is executed, it installs itself in high memory, just below the DOS 640k boundry. It appends itself to .com and .exe programs as they are executed. It will only infect .exe files that are below a certain size.
Programs infected with Groove may not function properly. If COMMAND.COM has been infected, it may cause the system to be unable to boot.
It displays the following text at half an hour past midnight, which is usually encrypted with the rest of the virus when it is not in memory:
Dont wory, you are not alone at this hour...
ThisVirus is NOT dedicated to Sara
its dedicated to her Groove (...Thats my name)
This Virus is only a test Virus there for
be ready for my Next Test ....
Also encrypted are the paths and names of files related to antivirus products the virus deletes or corrupts. These files belong to Norton Anti-Virus, Certus' Novi, Central Point Anti-Virus, Dr. Solomon's Anti-Viral Toolkit, Fifth Generation Systems' Untouchable, and XTree's ViruSafe. The files are:
- C:\NAV_._NO
- C:\NOVIRCVR.CTS
- C:\NOVIPERF.DAT
- C:\CPAV\CHKLIST.CPS
- C:\TOOLKIT\FILES.LST
- C:\UNTOUCH\UT.UT1
- C:\UNTOUCH\UT.UT2
- C:\VS.VS"
Origin and Effects
Groove likely originated in Germany. By the time it was isolated there, it was already wild in that country. It was also found in the United States.
Sources
Patricia Hoffman. Online VSUM, Groove Virus.
Tarkan Yetiser, VDS Advanced Research Group. Computer Virus Catalog Index, Computer Virus Catalog 1.2: Groove Virus. 1992.06.22
Joe Wells. IBM Research, Antivirus, VIRUS TIMELINE. 1996.08.30