Welcome to the Virus Encyclopedia of Panda Security.
|Detection updated on:||Nov. 13, 2002|
W97M/Groov.X is a polymorphic macro virus that infects MS Word documents. This virus modifies certain MS Word options and displays messages on screen.
Firstly, the virus disables the protection offered by MS Word when a document containing macros is opened. Then, it disables the dialog boxes that appear when the NORMAL.DOT template is saved and those that allow documents to be converted when they are opened. In addition, it also disables the Macro, Templates and add-ins options in the Tools menu and certain messages in the MS Word command bar. Using this stealth technique it tries to hide its presence from the user.
The virus tries to change the name of the C: drive to sajoo and create a file called SAJOO.SYS. Then, the virus saves a copy of the document that it infected at the start under the name DATA.DOT in the Word Startup directory. This directory is indicated in the File locations tab in Options in the Tools menu.
On infecting a document, the virus replaces the information in the Comments field in the Summary tab of the properties of the document with: "ALT-F11 says it's sajoo!" If the user tries to access the Visual Basic code of the document using the key combination Alt+F11, the virus will display the following message of screen: