When an infected file is run, the virus installs itself into memory at the top of system memory, just below the 640K DOS boundary, hooking INT 21 to infect any executable file that is run later on. The time and date of infected files are changed to that of the system at the time of infection. Groove will avoid infecting files below a certain size.
At half past midnight on any day, it will show the following message:
Dont wory, you are not alone at this hour... ThisVirus is NOT dedicated to Sara its dedicated to her Groove (...Thats my name) This Virus is only a test Virus there for be ready for my Next Test ....
If the following AntiVirus products are present on the system, Groove will attempt to corrupt or delete the product's datafiles: Symantec's Norton Anti-Virus, Certus' Novi, Central Point Anti-Virus, Dr. Solomon's Anti-Viral Toolkit, Fifth Generation Systems' Untouchable, and XTree's ViruSafe with the following files affected:
C:\NAV_._NO C:\NOVIRCVR.CTS C:\NOVIPERF.DAT C:\CPAV\CHKLIST.CPS C:\TOOLKIT\FILES.LST C:\UNTOUCH\UT.UT1 C:\UNTOUCH\UT.UT2 C:\VS.VS
Due to possibly poor programming or a bug in the virus code, files infected with Groove often do not work properly. If COMMAND.COM becomes infected, the system can be rendered unbootable.
The virus uses a modified version of the Dark Avenger Mutation Engine (DAME) for its encryption, it also was the first virus to use this engine to infect EXE files.
Some strains of the Groove virus contained an indecent ASCII image, which was implemented into Abraxas.1214. However, this was also used in some strains of Walker when the payload starts, along with a sound from Burma.