💾 Archived View for spam.works › mirrors › textfiles › virus › gold-bug.txt captured on 2023-11-04 at 16:01:29.

View Raw

More Information

⬅️ Previous capture (2023-06-16)

-=-=-=-=-=-=-

Virus Name:  GOLD-BUG
Aliases:     AU, GOLD, GOLD-FEVER, GOLD-MINE
V Status:    New, Research
Discovery:   January, 1994
Symptoms:    CMOS checksum failure; Creates files with no extension; Modem
	     answers on 7th ring; BSC but it is hidden; Most virus scanners
	     fail to run or are Deleted; CHKLIST.??? files deleted.
Origin:      USA
Eff Length:  1,024 Bytes
Type Code:   SBERaRbReX - Spawning Color Video Resident and Extended HMA
	     Memory Resident Boot-Sector and Master-Sector Infector
Detection Method:  None
Removal Instructions:  See Below

General Comments:

	GOLD-BUG is a memory-resident multipartite polymorphic stealthing
	boot-sector spawning anti-antivirus virus that works with DOS 5 and
	DOS 6 in the HIMEM.SYS memory.  When an .EXE program infected with the
	GOLD-BUG virus is run, it determines if it is running on an 80186 or
	better, if not it will terminate and not install.  If it is on an
	80186 or better it will copy itself to the partition table of the hard
	disk and remain resident in memory in the HMA (High Memory Area) only
	if the HMA is available, ie. DOS=HIGH in the CONFIG.SYS file else no
	infection will occur.  The old partition table is moved to sector 14
	and the remainder of the virus code is copied to sector 13.  The virus
	then executes the spawned associated file if present.  INT 13 and
	INT 2F are hooked into at this time but not INT 21.  The spawning
	feature of this virus is not active now.

	When the computer is rebooted, the virus goes memory resident in the
	color video memory.  Also at this time the GOLD-BUG virus removes
	itself from the partition table and restores the old one back.  Unlike
	other boot-sector infectors, it does not use the top of memory to
	store the code.  CHKDSK does not show a decrease in available memory.
	At this time it only hooks INT 10 and monitors when the HMA becomes
	available.  Once DOS moves into the HMA, then GOLD-BUG moves into the
	HMA at address FFFF:FB00 to FFFF:FFFF.  If the HMA never becomes
	available, ie. DOS loaded LOW or the F5 key hit in DOS 6 to bypass the
	CONFIG.SYS, then the virus clears itself from the system memory when
	the computer changes into graphics mode.  If it moves to the HMA, it
	hooks INT 13, INT 21 and INT 2F and then rewrites itself back to the
	partition table.  The GOLD-BUG virus also has some code that stays
	resident in the interrupt vector table to always make the HMA
	available to the virus.  The full features of the virus are now
	active.

	The GOLD-BUG virus will infect the boot sector of 1.2M diskettes.
	The virus copies itself to the boot sector of the diskette and moves
	a copy of the boot sector to sector 28 and the remainder of the code
	is copied to sector 27.  These are the last 2 sectors of the 1.2M disk
	root directory.  If there are file entries on sector 27 or 28 it will
	not overwrite them with the virus code.  It will infect 1.2M disks in
	drive A: or B:  If a clean boot disk is booted from drive A: and you
	try to access C: you will get an invalid drive specification.

	The boot-sector infection is somewhat unique.  If the computer is
	booted with a disk that contains the GOLD-BUG virus, it will remain in
	video memory until the HMA is available and then infect the hard disk.
	Also at this time, it will remove itself from the 1.2M disk.  The
	virus will never infect this disk again.  It makes tracking where you
	got the virus from difficult in that your original infected disk is
	not infected anymore.

	If an .EXE file less than 64K and greater then 1.5K is executed,
	GOLD-BUG will randomly decide to spawn a copy of it.  The .EXE file is
	renamed to the same file name with no extension, ie. CHKDSK.EXE
	becomes CHKDSK.  The original file attributes are then changed to
	SYSTEM.  An .EXE file with the same name is created.  This .EXE file
	has the same length, file date and attributes as the original .EXE
	file.  This spawning process will not make a copy on a diskette
	because it might be write protected and be detected; but it will make
	a spawn .EXE file on a network drive.  When a spawned file is created,
	CHKLIST.??? of the current directory is also deleted.  The .EXE file
	that is created is actually a .COM file; it has no .EXE header.

	The GOLD-BUG virus is very specific as to what type of .EXE files it
	will spawn copies.  It will not spawn any Windows .EXE files or any
	other .EXE files the use the new extended .EXE header except those
	that use the PKLITE extended .EXE header.  This way all Windows
	programs will continue to run and the virus will still be undetected.

	The GOLD-BUG virus is also Polymorphic.  Each .EXE file it creates
	only has 2 bytes that remain constant.  It can mutate into 128
	different decription patterns.  It uses a double decription technique
	that involves INT 3 that makes it very difficult to decript using a
	debugger.  The assembly code allowed for 512 different front-end
	decripters.  Each of these can mutate 128 different ways.

	The GOLD-BUG virus incorporates an extensive steathing technique.  Any
	time the hard disk partition table or boot sector of an infected
	diskette is examined, the copy of the partition table or boot sector
	is returned.  If a spawned .EXE file is opened to be read or executed;
	the GOLD-BUG virus will redirect to the original file.  Windows 3.1
	will detect a resident boot-sector virus if the "Use 32 Bit Access" is
	enabled on the "Virtual Memory" option.  GOLD-BUG will disconnect
	itself from the INT 13 chain when Windows installs and reconnect when
	Windows uninstalles to avoid being detected.  When Windows starts, the
	GOLD-BUG virus will copy the original hard disk partition table back.
	When Windows ends, the GOLD-BUG virus will reinfect the partition
	table.

	The GOLD-BUG virus also has an extensive anti-antivirus routine.  It
	can install itself with programs like VSAFE.COM and DISKMON.EXE
	resident that monitor changes to the computer that are common for
	viruses.  It writes to the disk using the original BIOS INT 13 and not
	the INT 13 chain that these types of programs have hooked into.  It
	hooks into the bottom of the interrupt chain rather than changing and
	hooking interrupts; very similar to the tunneling technique.  If the
	GOLD-BUG virus is resident in memory, any attempts to run most virus
	scanners will be aborted.  GOLD-BUG stops any large .EXE file
	(greater than 64k) with the last two letters of "AN" to "AZ".  It will
	stop SCAN.EXE, CLEAN.EXE, NETSCAN.EXE, CPAV.EXE, MSAV.EXE, TNTAV.EXE,
	etc., etc.  The SCAN program will either be deleted or an execution
	error will return.  Also, GOLD-BUG will cause a CMOS checksum failure
	to happen next time the system boots.  GOLD-BUG also erases
	"CHKLIST.???" created by CPAV.EXE and MSAV.EXE.  Programs that do an
	internal checksum on themselves will not detect any changes.  The
	Thunder Byte Antivirus programs contain a partition table program that
	claims it can detect all partition table viruses.  GOLD-BUG rides
	right through the ThunderByte partition virus checker.

	The GOLD-BUG virus detects a modem.  If you received an incoming call
	on the modem line, GOLD-BUG will output a string that will set the
	modem to answer on the seventh ring.

	If a program tries to erase the infected .EXE file, the original
	program and not the infected .EXE file is erased.

	The text strings "AU", "1O7=0SLMTA", and "CHKLIST????" appear in the
	decripted code.  The virus gets it name from "AU", the chemical
	element "GOLD".  The text string "CHKLIST????" is actually executable
	code.

	The GOLD-BUG virus has two companion viruses that it works with.  The
	DA'BOYS virus is also a boot-sector infector.  It is possible to have
	a diskette with two boot-sector viruses.  GOLD-BUG hides the presence
	of the DA'BOYS virus from the Windows 3.1 startup routine.  GOLD-BUG
	removes the DA'BOYS virus from the INT 13 chain at the start of
	Windows and restores it when Windows ends.  The GOLD-BUG virus works
	with the XYZ virus; it reserves the space FFFF:F900 to FFFF:FAFF in
	the HMA for the XYZ virus so it can load as well.

	To remove the GOLD-BUG virus, change DOS=HIGH to DOS=LOW in the
	CONFIG.SYS, then reboot.  Once the system comes up again, reboot from
	a clean boot disk.  The Virus has now removed itself from the
	partition table and memory.  With the ATTRIB command check for files
	with the SYSTEM bit set that don't have any extension.  Delete the
	.EXE file associated with the SYSTEM file.  Using ATTRIB remove the
	SYSTEM attribute.  Rename the file with no extension to an .EXE file.
	Format each diskette or run SYS to remove the virus from the boot
	sector of each 1.2M disk.  Any spawned .EXE files copied to diskette
	need to be deleted.

	Several variations of this virus can exist.  The assembly code allowed
	for 14 features to be turned on or off:  Delete Scanners, Check for
	8088, Infect at Random, Deflect Delete, CMOS Bomb, File Reading
	Stealth, Same File Date, Double Decription, Execute Spawned, Modem
	Code, Anti-Antivirus, Polymorphic, Multipartite and 720K or 1.2M
	Diskette Infection.  Some of these features can be disabled and more
	code added to change the characteristics of this virus.