Virus Name: GOLD-BUG Aliases: AU, GOLD, GOLD-FEVER, GOLD-MINE V Status: New, Research Discovery: January, 1994 Symptoms: CMOS checksum failure; Creates files with no extension; Modem answers on 7th ring; BSC but it is hidden; Most virus scanners fail to run or are Deleted; CHKLIST.??? files deleted. Origin: USA Eff Length: 1,024 Bytes Type Code: SBERaRbReX - Spawning Color Video Resident and Extended HMA Memory Resident Boot-Sector and Master-Sector Infector Detection Method: None Removal Instructions: See Below General Comments: GOLD-BUG is a memory-resident multipartite polymorphic stealthing boot-sector spawning anti-antivirus virus that works with DOS 5 and DOS 6 in the HIMEM.SYS memory. When an .EXE program infected with the GOLD-BUG virus is run, it determines if it is running on an 80186 or better, if not it will terminate and not install. If it is on an 80186 or better it will copy itself to the partition table of the hard disk and remain resident in memory in the HMA (High Memory Area) only if the HMA is available, ie. DOS=HIGH in the CONFIG.SYS file else no infection will occur. The old partition table is moved to sector 14 and the remainder of the virus code is copied to sector 13. The virus then executes the spawned associated file if present. INT 13 and INT 2F are hooked into at this time but not INT 21. The spawning feature of this virus is not active now. When the computer is rebooted, the virus goes memory resident in the color video memory. Also at this time the GOLD-BUG virus removes itself from the partition table and restores the old one back. Unlike other boot-sector infectors, it does not use the top of memory to store the code. CHKDSK does not show a decrease in available memory. At this time it only hooks INT 10 and monitors when the HMA becomes available. Once DOS moves into the HMA, then GOLD-BUG moves into the HMA at address FFFF:FB00 to FFFF:FFFF. If the HMA never becomes available, ie. DOS loaded LOW or the F5 key hit in DOS 6 to bypass the CONFIG.SYS, then the virus clears itself from the system memory when the computer changes into graphics mode. If it moves to the HMA, it hooks INT 13, INT 21 and INT 2F and then rewrites itself back to the partition table. The GOLD-BUG virus also has some code that stays resident in the interrupt vector table to always make the HMA available to the virus. The full features of the virus are now active. The GOLD-BUG virus will infect the boot sector of 1.2M diskettes. The virus copies itself to the boot sector of the diskette and moves a copy of the boot sector to sector 28 and the remainder of the code is copied to sector 27. These are the last 2 sectors of the 1.2M disk root directory. If there are file entries on sector 27 or 28 it will not overwrite them with the virus code. It will infect 1.2M disks in drive A: or B: If a clean boot disk is booted from drive A: and you try to access C: you will get an invalid drive specification. The boot-sector infection is somewhat unique. If the computer is booted with a disk that contains the GOLD-BUG virus, it will remain in video memory until the HMA is available and then infect the hard disk. Also at this time, it will remove itself from the 1.2M disk. The virus will never infect this disk again. It makes tracking where you got the virus from difficult in that your original infected disk is not infected anymore. If an .EXE file less than 64K and greater then 1.5K is executed, GOLD-BUG will randomly decide to spawn a copy of it. The .EXE file is renamed to the same file name with no extension, ie. CHKDSK.EXE becomes CHKDSK. The original file attributes are then changed to SYSTEM. An .EXE file with the same name is created. This .EXE file has the same length, file date and attributes as the original .EXE file. This spawning process will not make a copy on a diskette because it might be write protected and be detected; but it will make a spawn .EXE file on a network drive. When a spawned file is created, CHKLIST.??? of the current directory is also deleted. The .EXE file that is created is actually a .COM file; it has no .EXE header. The GOLD-BUG virus is very specific as to what type of .EXE files it will spawn copies. It will not spawn any Windows .EXE files or any other .EXE files the use the new extended .EXE header except those that use the PKLITE extended .EXE header. This way all Windows programs will continue to run and the virus will still be undetected. The GOLD-BUG virus is also Polymorphic. Each .EXE file it creates only has 2 bytes that remain constant. It can mutate into 128 different decription patterns. It uses a double decription technique that involves INT 3 that makes it very difficult to decript using a debugger. The assembly code allowed for 512 different front-end decripters. Each of these can mutate 128 different ways. The GOLD-BUG virus incorporates an extensive steathing technique. Any time the hard disk partition table or boot sector of an infected diskette is examined, the copy of the partition table or boot sector is returned. If a spawned .EXE file is opened to be read or executed; the GOLD-BUG virus will redirect to the original file. Windows 3.1 will detect a resident boot-sector virus if the "Use 32 Bit Access" is enabled on the "Virtual Memory" option. GOLD-BUG will disconnect itself from the INT 13 chain when Windows installs and reconnect when Windows uninstalles to avoid being detected. When Windows starts, the GOLD-BUG virus will copy the original hard disk partition table back. When Windows ends, the GOLD-BUG virus will reinfect the partition table. The GOLD-BUG virus also has an extensive anti-antivirus routine. It can install itself with programs like VSAFE.COM and DISKMON.EXE resident that monitor changes to the computer that are common for viruses. It writes to the disk using the original BIOS INT 13 and not the INT 13 chain that these types of programs have hooked into. It hooks into the bottom of the interrupt chain rather than changing and hooking interrupts; very similar to the tunneling technique. If the GOLD-BUG virus is resident in memory, any attempts to run most virus scanners will be aborted. GOLD-BUG stops any large .EXE file (greater than 64k) with the last two letters of "AN" to "AZ". It will stop SCAN.EXE, CLEAN.EXE, NETSCAN.EXE, CPAV.EXE, MSAV.EXE, TNTAV.EXE, etc., etc. The SCAN program will either be deleted or an execution error will return. Also, GOLD-BUG will cause a CMOS checksum failure to happen next time the system boots. GOLD-BUG also erases "CHKLIST.???" created by CPAV.EXE and MSAV.EXE. Programs that do an internal checksum on themselves will not detect any changes. The Thunder Byte Antivirus programs contain a partition table program that claims it can detect all partition table viruses. GOLD-BUG rides right through the ThunderByte partition virus checker. The GOLD-BUG virus detects a modem. If you received an incoming call on the modem line, GOLD-BUG will output a string that will set the modem to answer on the seventh ring. If a program tries to erase the infected .EXE file, the original program and not the infected .EXE file is erased. The text strings "AU", "1O7=0SLMTA", and "CHKLIST????" appear in the decripted code. The virus gets it name from "AU", the chemical element "GOLD". The text string "CHKLIST????" is actually executable code. The GOLD-BUG virus has two companion viruses that it works with. The DA'BOYS virus is also a boot-sector infector. It is possible to have a diskette with two boot-sector viruses. GOLD-BUG hides the presence of the DA'BOYS virus from the Windows 3.1 startup routine. GOLD-BUG removes the DA'BOYS virus from the INT 13 chain at the start of Windows and restores it when Windows ends. The GOLD-BUG virus works with the XYZ virus; it reserves the space FFFF:F900 to FFFF:FAFF in the HMA for the XYZ virus so it can load as well. To remove the GOLD-BUG virus, change DOS=HIGH to DOS=LOW in the CONFIG.SYS, then reboot. Once the system comes up again, reboot from a clean boot disk. The Virus has now removed itself from the partition table and memory. With the ATTRIB command check for files with the SYSTEM bit set that don't have any extension. Delete the .EXE file associated with the SYSTEM file. Using ATTRIB remove the SYSTEM attribute. Rename the file with no extension to an .EXE file. Format each diskette or run SYS to remove the virus from the boot sector of each 1.2M disk. Any spawned .EXE files copied to diskette need to be deleted. Several variations of this virus can exist. The assembly code allowed for 14 features to be turned on or off: Delete Scanners, Check for 8088, Infect at Random, Deflect Delete, CMOS Bomb, File Reading Stealth, Same File Date, Double Decription, Execute Spawned, Modem Code, Anti-Antivirus, Polymorphic, Multipartite and 720K or 1.2M Diskette Infection. Some of these features can be disabled and more code added to change the characteristics of this virus.