95/100: More clarification on what is wrong with DOOM ][...
Name: Accutron #1 @7455
Date: Sun, Oct 2, 1994 - 12:57:30 am
From:^VetraCom -EFDS- (XXXXXXXX XXXXXXXXXX) [XXX-XXX-XXXX]

 Msg. Status  No reply necessary!
 Line Status  Node 1
  

Goldbug-------

Goldbug is a complex virus, made in the USA. It managed to slip into
international circulation in summer 1994. Goldbug was, apparently on
purpose, attached to a beta version of the game DOOM (2?). This archive
was circulated in BBSs worldwide.

Goldbug infects the main boot records of hard disks and diskette boot
sectors. It also spreads by using the companion virus technique and
contains retrovirus features.  Goldbug uses an astonishing variety of
tricks to make detection and surveillance difficult.

When a file infected by Goldbug is executed, the virus copies its own
code to the hard disk's main boot record. If the computer has available
HMA memory, the virus goes resident in memory. If the computer in question
is not at least a 286, the virus does not do anything. The same thing
happens if the system does not use HMA memory.

When the virus infects the hard disk, it overwrites the partition
information in the main boot record. Due to Goldbug's stealth capabilities,
this cannot be seen as long as the virus is resident in memory. However, if
the computer is booted from a clean diskette, the system cannot find the
hard disk. The effect is similar to that caused by, for example, the Monkey
virus, and prevents the virus from being removed with the FDISK/MBR command.

The virus goes resident to memory the next time the computer is started,
storing its own code in color video memory. At this stage, Goldbug restores
the original main boot record.  The virus cannot keep its code in color
video memory indefinitely, because that would prevent graphical programs
from functioning. However, at this stage it cannot move its code to HMA
memory either, since the system's memory management programs have not been
loaded from CONFIG.SYS yet. The virus hooks the video interrupt 10h and
waits for HMA to become available.

If HMA memory is not installed, the virus removes itself from memory once
the computer switches to graphical mode.  Otherwise the virus copies its
code on top of HMA memory as soon as it gets the chance. Once in HMA, the
virus writes its own code back to the main boot record.

Goldbug infects the boot sectors 1.2 MB diskettes like a normal boot sector
virus. All non-write protected diskettes used in a Goldbug-infected computer
are infected. In addition to the diskette boot sector, Goldbug uses two
sectors on the diskette to store its code - however, unlike most other boot
sector viruses, Goldbug checks that these sectors are empty before infecting
the diskette.

Goldbug uses quite an unusual method for infecting diskettes. If a computer
is booted from an infected diskette, the virus stays resident in video
memory until it gains access to HMA memory. When HMA memory becomes
available, the virus infects the hard disk. At the same time, it removes
its own code from the diskette, and won't infect it again while it stays in
the drive. This makes it difficult to trace an infection's source, because
the diskette the virus originally arrived on may not be infected any longer.

When the virus is active, it infects executed EXE programs.  When such a
program is executed, the virus creates a companion file for it in the same
directory and removes the original file's file extension. For example, a
file called PROGRAM.EXE will be renamed PROGRAM. The companion file is then
given the name of the original file. The virus takes care to create a
companion file with the same size, creation date and attributes as in the
original file. The original file is given the system attribute, so that it
cannot be seen in the directory listing.

The virus does not create companion files on diskettes.  However, it will
infect files over a network, as long as the user has the right to create
and rename files in the network.

Goldbug employs a variable encryption routine. The virus can use 512
different decryption routines, each of which it can modify in 128 different
ways. Nevertheless, the viruse's encryption technique cannot be called
truly polymorphic. The viruse's encryption routines are protected, which
makes it difficult to decrypt the virus for analysis.

Goldbug is a stealth virus. When the main boot record of an infected hard
disk or the boot sector of an infected diskette is examined, the virus
shows the user a copy of the original object. When an infected EXE file is
executed, the virus reroutes the operation to the original file. If some
program tries to delete a companion file the virus has created, the virus
causes the original file to be deleted instead.

Most of the viruses which hijack the interrupt int 13h are easily caught
if the computer is running Windows 3.1 with the 32-bit disk access on. In
such a case, Windows reports an error situation during startup if the virus
has changed the disk interrupt address. Goldbug bypasses this problem by
letting go of the interrupt 13 when Windows is started. The virus also
restores the main boot record back to its original place. When Windows
terminates, the virus infects the main boot record again.

Goldbug has extensive retrovirus capabilities. It is able to install itself
despite the presence of programs like VSAFE.COM or DISKMON.EXE, by
tunneling past them. If Goldbug is resident in memory, it prevents the
execution of the most common anti-virus programs. If a file's name ends
with the letters "AN" or "AV", the virus prevents it from being executed.
Among such files are, for instance, SCAN, CLEAN, NAV, CPAV, MSAV, TBAV,
TBSCAN, TNTAV etc. If the user tries to execute such a program, Goldbug
causes an execution error and a checksum error in CMOS.  When the virus
spreads to a directory, it deletes all CHKLIST files that the directory may
contain, thus bypassing CPAV's and MSAV's checksum protection.

Goldbug checks whether the system contains a modem. If the modem receives
a call, the virus causes the modem to wait for the seventh ring and
answering. This is the only activation routine the virus contains.
F-PROT Professional is able to detect the Goldbug virus in memory, files
and boot sectors.  (ditto with the shareware version-see below)
-frisk

Subject: Re: (fwd) Harrell fired for viurs planting
Date: Tue, 27 Sep 1994 16:14:23 -0400 (EDT)

On Tue, 27 Sep 1994, Jamie Clark wrote:
> From: ddt@idcube.idsoftware.com (David Taylor)
> Subject: Harrell fired for viurs planting
> Date: Fri, 16 Sep 1994 18:32:02 +0000
>
>   Yes, Robert Harrell was one of the main desingers of DOOM.
> However, we found him placing a virus, or a part of a viurs,
> into the first DOOM game, and thus he was fired.
>   Robert is a very good programmer and we are not sure if we
> were able to remove all of the virus code(s) from DOOM.
>   It is most likely that any pirated versions of the game has
> the second part of his viurs, thus giving DOOM ][ the illusion
> of a whole viurs since the two halfs are now one.
>   We thing, but are not sure, that the second half is free from
> our version of DOOM][.  But we will not be fully sure until
> the last part of October, after the 10th that is.
>   Robert Harrell (aka Red Sonya), is very good as writing code(s).
> If there is any bad codes in DOOM][, there will be patch(s) posted
> at once.
>   Please, enjoy DOOM ][ while we work on the next game Quake :)

Nathan Prugh             Clark Internet Services           Guardian@Clark.Net


    VectraCom  -= E F D S =- Ŀ
    12.0 - 28.8kbps NetworX @ 7455  *  XXX-XXX-XXXX   NUV Enforced!!  
    2.75 Gig -WWIV 4.23a Sysop: AccuTron 1@7455
