GoldGeld Virus

Virus Name: GoldGeld Aliases: V Status: Rare Discovered: January, 1993 Symptoms: .COM & .EXE growth; decrease in total system & available free memory Origin: Germany Eff Length: 612 Bytes Type Code: PRtAK - Parasitic Resident .COM & .EXE Infector Detection Method: F-Prot, ViruScan, Sweep, AVTK, IBMAV, NAVDX, VAlert, NAV, PCScan, ChAV, NShld, Sweep/N, AVTK/N, NProt, IBMAV/N, Innoc, NAV/N, LProt Removal Instructions: Delete infected files General Comments: The GoldGeld virus was submitted in January, 1993, and appears to be from Germany. GoldGeld is a memory resident infector of .COM and .EXE programs, including COMMAND.COM. Some anti-viral programs may identify it as a PS-MPC based virus since it uses a similar encryption mechanism. When the first GoldGeld infected program is executed, the GoldGeld virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 2,048 bytes. Interrupt 21 will be hooked by GoldGeld in memory. Once the GoldGeld virus is memory resident, it will infect .COM and .EXE programs when they are executed. Infected programs will have a file length increase of 612 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text string is encrypted within the GoldGeld viral code: "Es ist nicht alles Gold, was gl„nzt! The text string "EEK" can be found unencrypted within the viral code in all infected programs. It is unknown what GoldGeld does besides replicate.