Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Goldbug

Goldbug is a multi-partite, stealth, satellite and polymorphic EXE infector. It infects only processors better then 80186 and DOS version 5.0 and higher, with HMA in the system. When these requirements are met and an infected EXE type file is executed the virus attacks hard drive’s MBR and installs itself into it. It occupies two sectors on side 0 and locates the rest of its body as well as the original contents of MBR into them. If there is a satellite file the virus will start it. After installation like this the virus does not attack files. With every subsequent boot the virus will install itself into video-memory; it will disinfect MBR, hook the interrupt INT 10h and wait until HMA is formed. Then, when HMA is made accessible, the virus will move to the HMA top redirecting the interrupts INT 13h, INT 21h and INT2Fh and it infects MBR again. If there is no HMA present in the system the virus will be removed from the memory after the text mode is changed into graphic one. When there is an attempt to boot system from an infected diskette the virus will be removed from it and until the diskette in the drive is not changed the boot sector will not be infected. The virus attacks diskettes boot sectors, the original boot sector is placed into the last sector of root directory, the sector before last will be occupied by the rest of the virus body. Goldbug, unlike different viruses, checks if sectors it indents to use are empty. When loading system from a clean system diskette on a computer with a virus in MBR an attempt to access disc C: will not be successful. The infection is based on creating a new file with identical name as is the name of the file containing virus. The original file is renamed – the same name is used but without extension and with set system attribute. This model of infecting files is used when the file being attacked is on a net or local hard disc. With diskettes only the boot sector is infected. The virus infects EXE files if their size is more than 1.5 and less than 64 KB. If there is a CHKLIST.* file in the actual directory it is erased. The virus avoids EXE files for Windows. The stealth characteristics of the virus make the changes of boot sector and MBR invisible and invisible is also the change in access to infected file. Windows does not form problems to the virus as at the execution the virus renews MBR and removes itself from the interrupt INT 13h string. After leaving Windows, MBR will be attacked again. Some of the anti-virus programs will not be executed or will be erased and at the next restart of system there will be an erroneous CMOS check sum. When trying to erase the infected EXE file the original file, and not the one containing virus, will be erased. If there is a modem the virus sends a string “ATMLS0=701” to its port. This will cause that the modem answers at the seventh ringing. The virus exists in a large range of variants because its source text was made public and it can be easily modified.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.