Type File virus
Date Discovered 1992.06
Place of Origin Germany
Source Language
Platform DOS
File Type(s) .com, .exe
Infection Length 3,646 to 3,708 bytes
Reported Costs

Groove is a DOS file virus from Germany. It uses a modified version of the Dark Avenger Mutation Engine for encryption. It is the first virus to use the engine to infect .exe files.


When a Groove infected file is executed, it installs itself in high memory, just below the DOS 640k boundry. It appends itself to .com and .exe programs as they are executed. It will only infect .exe files that are below a certain size.

Programs infected with Groove may not function properly. If COMMAND.COM has been infected, it may cause the system to be unable to boot.

It displays the following text at half an hour past midnight, which is usually encrypted with the rest of the virus when it is not in memory:

  Dont wory, you are not alone at this hour...
  ThisVirus is NOT dedicated to Sara
  its dedicated to her Groove (...Thats my name)
  This Virus is only a test Virus there for
  be ready for my   Next  Test   ....

Also encrypted are the paths and names of files related to antivirus products the virus deletes or corrupts. These files belong to Norton Anti-Virus, Certus' Novi, Central Point Anti-Virus, Dr. Solomon's Anti-Viral Toolkit, Fifth Generation Systems' Untouchable, and XTree's ViruSafe. The files are:
  • C:\NAV_._NO
  • C:\VS.VS"

Origin and Effects

Groove likely originated in Germany. By the time it was isolated there, it was already wild in that country. It was also found in the United States.


Patricia Hoffman. Online VSUM, Groove Virus.

Tarkan Yetiser, VDS Advanced Research Group. Computer Virus Catalog Index, Computer Virus Catalog 1.2: Groove Virus. 1992.06.22

Joe Wells. IBM Research, Antivirus, VIRUS TIMELINE. 1996.08.30

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License