Godoy Virus


 Virus Name:  Godoy   
 Aliases:     Godoy Dropper 
 V Status:    Rare 
 Discovered:  October, 1993 
 Symptoms:    .COM & .EXE growth; "Invalid Drive Specification" message; 
              Decrease in total system & available free memory; 
              Master Boot Record (Partition Table) altered 
 Origin:      Unknown, possibly China 
 Eff Length:  1,792 - 1,806 Bytes 
 Type Code:   PRhAX - Parasitic Resident .COM, .EXE, & MBR Infector 
 Detection Method:  IBMAV, F-Prot, AVTK, NAV, Sweep, ViruScan, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    AVTK/N, Sweep/N, NAV/N, NShld, IBMAV/N, Innoc, LProt 
 Removal Instructions:  Delete infected files & Replace MBR 
 
 General Comments: 
       The Godoy virus was submitted in October, 1993.  Its origin or 
       point of isolation is unknown.  Godoy is a memory resident infector 
       of the system hard disk master boot record (partition table sector) 
       as well as .COM and .EXE files, but not COMMAND.COM. 
 
       When the first Godoy infected program is executed, the Godoy virus 
       will infect the system hard disk's master boot record (the sector 
       containing the hard disk partition table).  The virus doesn't 
       become memory resident at this time, and does not infect other 
       files at this time. 
 
       The next time the user boots the system from the system hard disk, 
       the Godoy virus will become memory resident at the top of system 
       memory but below the 640K DOS boundary.  Total system and available 
       free memory, as indicated by the DOS CHKDSK program, will have 
       decreased by 4,096 bytes.  Interrupt 21 will be hooked by Godoy in 
       memory. 
 
       Once the Godoy virus is memory resident, the Godoy virus will 
       infect .COM and .EXE programs when they are executed.  Additionally, 
       .EXE programs are also infected when opened for any reason.  Infected 
       .COM programs will have a file length increase of 1,792 bytes 
       with the virus being located at the beginning of the file.  Infected 
       .EXE programs will have a file length increase of 1,792 to 
       1,806 bytes with the virus being located at the end of the file. 
       In both cases, the file's date and time in the DOS disk directory 
       listing will not be altered.  The following text strings are 
       encrypted within the Godoy viral code: 
 
               "COMMAND.COM" 
               "Invalid Partition Table" 
               "Error Loading Operating System" 
               "Missing Operating System" 
               "Welcome!" 
               "Auto-Copy Deluxe R3.00" 
               "(C) Copyright 1991. Mr. YaQi. Changsha China" 
               "No one can Beyond me!" 
 
       Attempts to boot infected systems from a system diskette will 
       be successful, however the user will not be able to access the 
       system hard disk.  The user will receive the following message 
       when attempting to read the system hard disk: 
 
               "Invalid Drive Specification"

Show viruses from discovered during that infect .

Main Page