Summary

Goldbug is a complex virus, made in USA. It managed to slip into international circulation in summer 1994. Goldbug was, apparently on purpose, attached to a pirated beta version of the game DOOM II. This archive was circulated in BBSs worldwide. Goldbug infects the main boot records of hard disks and diskette boot sectors. It also spreads by using the companion virus technique and contains retrovirus features. Goldbug uses an astonishing variety of tricks to make detection and surveillance difficult.

Additional Details

When a file infected by Goldbug is executed, the virus copies its own code to the hard disk's main boot record. If the computer has available HMA memory, the virus goes resident in memory. If the computer in question is not at least a 286, the virus does not do anything. The same thing happens if the system does not use HMA memory.

When the virus infects the hard disk, it overwrites the partition information in the main boot record. Due to Goldbug's stealth capabilities, this cannot be seen as long as the virus is resident in memory. However, if the computer is booted from a clean diskette, the system cannot find the hard disk. The effect is similar to that caused by, for example, the Monkey virus, and prevents the virus from being removed with the FDISK /MBR command.

The virus goes resident to memory the next time the computer is started, storing its own code in color video memory. At this stage, Goldbug restores the original main boot record. The virus cannot keep its code in color video memory indefinitely, because that would prevent graphical programs from functioning. However, at this stage it cannot move its code to HMA memory either, since the system's memory management programs have not been loaded from CONFIG.SYS yet. The virus hooks the video interrupt 10h and waits for HMA to become available.

If HMA memory is not installed, the virus removes itself from memory once the computer switches to graphical mode. Otherwise the virus copies its code on top of HMA memory as soon as it gets the chance. Once in HMA, the virus writes its own code back to the main boot record.

Goldbug infects the boot sectors 1.2 MB diskettes like a normal boot sector virus. All non-write protected diskettes used in a Goldbug-infected computer are infected. In addition to the diskette boot sector, Goldbug uses two sectors on the diskette to store its code _ however, unlike most other boot sector viruses, Goldbug checks that these sectors are empty before infecting the diskette.

Goldbug uses quite an unusual method for infecting diskettes. If a computer is booted from an infected diskette, the virus stays resident in video memory until it gains access to HMA memory. When HMA memory becomes available, the virus infects the hard disk. At the same time, it removes its own code from the diskette, and won't infect it again while it stays in the drive. This makes it difficult to trace an infection's source, because the diskette the virus originally arrived on may not be infected any longer.

When the virus is active, it infects executed EXE programs. When such a program is executed, the virus creates a companion file for it in the same directory and removes the original file's file extension. For example, a file called PROGRAM.EXE will be renamed PROGRAM. The companion file is then given the name of the original file. The virus takes care to create a companion file with the same size, creation date and attributes as in the original file. The original file is given the system attribute, so that it cannot be seen in a directory listing.

The virus does not create companion files on diskettes. However, it will infect files over a network, as long as the user has the right to create and rename files in the network.

Goldbug employs a variable encryption routine. The virus can use 512 different decryption routines, each of which it can modify in 128 different ways. Nevertheless, the viruse's encryption technique cannot be called truly polymorphic. The viruse's encryption routines are protected, which makes it difficult to decrypt the virus for analysis.

Goldbug is a stealth virus. When the main boot record of an infected hard disk or the boot sector of an infected diskette is examined, the virus shows the user a copy of the original object. When an infected EXE file is executed, the virus reroutes the operation to the original file. If some program tries to delete a companion file the virus has created, the virus causes the original file to be deleted instead.

Most of the viruses which hijack the interrupt int 13h are easily caught if the computer is running Windows 3.1 with the 32-bit disk access on. In such a case, Windows reports an error situation during startup if the virus has changed the disk interrupt address. Goldbug bypasses this problem by letting go of the interrupt 13 when Windows is started. The virus also restores the main boot record back to its original place. When Windows terminates, the virus infects the main boot record again.

Goldbug has extensive retrovirus capabilities. It is able to install itself despite the presence of programs like VSAFE.COM or DISKMON.EXE, by tunneling past them.

If Goldbug is resident in memory, it prevents the execution of EXE programs whose names have the letter 'A' as their second to last character, and some letter between 'N' and 'Z' as their last character. GoldBug does this in order to detect a number of anti-virus programs and to prevent them from being executed. The method is effective with, for example, the programs SCAN, CLEAN, NETSCAN, CPAV, NAV and TBAV. Some innocent programs like MAX.EXE and TERMINAT.EXE are stopped as well.

GoldBug also deletes the computer's CMOS information every time the user tries to run any of these programs.

When the virus spreads to a directory, it deletes all CHKLIST files the directory may contain, thus bypassing CPAV's and MSAV's checksum protection.

Goldbug checks whether the system contains a modem. If the modem receives a call, the virus causes the modem to wait for the seventh ring and answering. This is the only activation routine the virus contains.

[Analysis: Mikko Hypponen, F-Secure]