Malware type: File Infector

Aliases: Goldbug (Gen)(Symantec), GuldBug-d(Sophos), PAK:Com2Exe(Kaspersky), Vgen/2515.0(Avira), GoldBug.A(F-Prot),

In the wild: No

Overall risk rating:

For additional information about this threat, see:

Description created: Mar. 9, 2000 1:45:50 PM GMT -0800


Size of malware: 1,024 Bytes

Payload 1: Deletes Files

Trigger date 1: Any Day

Payload 2: (stops some running programs)

Trigger date 1: Any Day

Interrupt Vectors Hooked: INT 21h, INT 13h
Infection Process: GOLD_BUG is a memory-resident multipartite polymorphic stealthing boot-sector spawning anti-antivirus virus that works with DOS 5 and DOS 6 in the HIMEM.SYS memory. When an infected EXE program is run, it determines if it is running on an 80186 or better, if not it will terminate and not install. If it is it will copy itself to the partition table of the hard disk and remain resident in memory in the HMA only if the HMA is available, i.e., DOS=HIGH in CONFIG.SYS else no infection will occur. The old partition table is moved to sector 14 and the remainder of the virus code is copied to sector 13. The virus then executes the spawned associated file if present. INT 13 and INT 2F are hooked at this time but not INT 21. The spawning feature is not active now.
Damage: Has an extensive anti-antivirus routine. It writes to the disk using the original BIOS INT 13 and not the INT 13 chain that these types of programs have hooked into. It hooks into the bottom of the interrupt chain rather than changing and hooking interrupts. If resident in memory, any attempts to run most virus scanners will be aborted. GOLD_BUG stops any large EXE file (greater than 64k) with the last two letters of AN to AZ. It will stop SCAN.EXE, CLEAN.EXE, NETSCAN.EXE, CPAV.EXE, MSAV.EXE, TNTAV.EXE, and so on. The SCAN program will either be deleted or an execution error will return. Also, it will cause a CMOS checksum failure the next time the system boots up. GOLD_BUG also erases CHKLIST.??? created by CPAV.EXE and MSAV.EXE. Programs that do an internal checksum on themselves will not detect any changes.
Note: The virus is also polymorphic. Each EXE file it creates only has 2 bytes that remain constant. It can mutate into 128 different decryption patterns. It uses a double decryption technique that involves INT 3. The assembly code allowed for 512 different frontend decryptors. Each of these can mutate 128 different ways.