Goldbug is a complex virus, made in USA. It managed to slip into
international circulation in summer 1994. Goldbug was, apparently
on purpose, attached to a pirated beta version of the game DOOM
II. This archive was circulated in BBSs worldwide. Goldbug
infects the main boot records of hard disks and diskette boot
sectors. It also spreads by using the companion virus technique
and contains retrovirus features. Goldbug uses an astonishing
variety of tricks to make detection and surveillance difficult.
When a file infected by Goldbug is executed, the virus
copies its own code to the hard disk's main boot record. If
the computer has available HMA memory, the virus goes
resident in memory. If the computer in question is not at
least a 286, the virus does not do anything. The same thing
happens if the system does not use HMA memory.
When the virus infects the hard disk, it overwrites the
partition information in the main boot record. Due to
Goldbug's stealth capabilities, this cannot be seen as long
as the virus is resident in memory. However, if the computer
is booted from a clean diskette, the system cannot find the
hard disk. The effect is similar to that caused by, for
example, the Monkey virus, and prevents the virus from being
removed with the FDISK /MBR command.
The virus goes resident to memory the next time the computer
is started, storing its own code in color video memory. At
this stage, Goldbug restores the original main boot record.
The virus cannot keep its code in color video memory
indefinitely, because that would prevent graphical programs
from functioning. However, at this stage it cannot move its
code to HMA memory either, since the system's memory
management programs have not been loaded from CONFIG.SYS
yet. The virus hooks the video interrupt 10h and waits for
HMA to become available.
If HMA memory is not installed, the virus removes itself
from memory once the computer switches to graphical mode.
Otherwise the virus copies its code on top of HMA memory as
soon as it gets the chance. Once in HMA, the virus writes
its own code back to the main boot record.
Goldbug infects the boot sectors 1.2 MB diskettes like a
normal boot sector virus. All non-write protected diskettes
used in a Goldbug-infected computer are infected. In
addition to the diskette boot sector, Goldbug uses two
sectors on the diskette to store its code _ however, unlike
most other boot sector viruses, Goldbug checks that these
sectors are empty before infecting the diskette.
Goldbug uses quite an unusual method for infecting
diskettes. If a computer is booted from an infected
diskette, the virus stays resident in video memory until it
gains access to HMA memory. When HMA memory becomes
available, the virus infects the hard disk. At the same
time, it removes its own code from the diskette, and won't
infect it again while it stays in the drive. This makes it
difficult to trace an infection's source, because the
diskette the virus originally arrived on may not be infected
When the virus is active, it infects executed EXE programs.
When such a program is executed, the virus creates a
companion file for it in the same directory and removes the
original file's file extension. For example, a file called
PROGRAM.EXE will be renamed PROGRAM. The companion file is
then given the name of the original file. The virus takes
care to create a companion file with the same size, creation
date and attributes as in the original file. The original
file is given the system attribute, so that it cannot be
seen in a directory listing.
The virus does not create companion files on diskettes.
However, it will infect files over a network, as long as the
user has the right to create and rename files in the
Goldbug employs a variable encryption routine. The virus can
use 512 different decryption routines, each of which it can
modify in 128 different ways. Nevertheless, the viruse's
encryption technique cannot be called truly polymorphic. The
viruse's encryption routines are protected, which makes it
difficult to decrypt the virus for analysis.
Goldbug is a stealth virus. When the main boot record of an
infected hard disk or the boot sector of an infected
diskette is examined, the virus shows the user a copy of the
original object. When an infected EXE file is executed, the
virus reroutes the operation to the original file. If some
program tries to delete a companion file the virus has
created, the virus causes the original file to be deleted
Most of the viruses which hijack the interrupt int 13h are
easily caught if the computer is running Windows 3.1 with
the 32-bit disk access on. In such a case, Windows reports
an error situation during startup if the virus has changed
the disk interrupt address. Goldbug bypasses this problem by
letting go of the interrupt 13 when Windows is started. The
virus also restores the main boot record back to its
original place. When Windows terminates, the virus infects
the main boot record again.
Goldbug has extensive retrovirus capabilities. It is able to
install itself despite the presence of programs like
VSAFE.COM or DISKMON.EXE, by tunneling past them.
If Goldbug is resident in memory, it prevents the execution of
EXE programs whose names have the letter 'A' as their second to
last character, and some letter between 'N' and 'Z' as their last
character. GoldBug does this in order to detect a number of
anti-virus programs and to prevent them from being executed. The
method is effective with, for example, the programs SCAN, CLEAN,
NETSCAN, CPAV, NAV and TBAV. Some innocent programs like MAX.EXE
and TERMINAT.EXE are stopped as well.
GoldBug also deletes the computer's CMOS information every time
the user tries to run any of these programs.
When the virus spreads to a directory, it deletes all CHKLIST
files the directory may contain, thus bypassing CPAV's and MSAV's
Goldbug checks whether the system contains a modem. If the
modem receives a call, the virus causes the modem to wait
for the seventh ring and answering. This is the only
activation routine the virus contains.
[Analysis: Mikko Hypponen, F-Secure]