Golgi Virus


 Virus Name:  Golgi 
 Aliases:     Golgi 1.0, Golgi Testicles 
 V Status:    Rare 
 Discovered:  September, 1993 
 Symptoms:    .COM file growth; file date/time seconds = "08" 
              decrease in total system & available free memory 
 Origin:      Unknown 
 Eff Length:  465 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method:  IBMAV, ViruScan, AVTK, Sweep, F-Prot, NAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    Sweep/N, NShld, AVTK/N, IBMAV/N, NAV/N, LProt, Innoc 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Golgi, Golgi Testicles or Golgi 1.0, virus was submitted in 
       September, 1993, along with two later versions of this virus. 
       Golgi is a memory resident size stealthing virus which infects 
       .COM programs.  The two later versions received in September, 1993, 
       also infect .EXE files. 
 
       When the first Golgi infected program is executed, the Golgi virus 
       will install itself memory resident at the top of system memory 
       but below the 640K DOS boundary, not moving interrupt 12's return. 
       Total system and available free memory, as indicated by the DOS 
       CHKDSK program, will have decreased by 752 bytes.  Interrupts 03 and 
       21 will be hooked by Golgi in memory. 
 
       Once the Golgi virus is memory resident, it will infect .COM programs 
       when they are executed.  Infected programs will have a file length 
       increase of 465 bytes, though the file length increase will not be 
       visible when the Golgi virus is memory resident.  The file's file 
       date and time in the DOS disk directory listing will have the 
       seconds field set to "08", the virus's mechanism to determine if the 
       file is infected.  The following text string is unencrypted within 
       the Golgi viral code: 
 
               "[Golgi Testicles] v1.0 Copyright (c) 1993 Memory Lapse" 
 
       It is unknown what Golgi does besides replicate. 
 
       Known variant(s) of Golgi are: 
       Golgi 2.0: Received in September, 1993, Golgi 2.0 is a later 
                  version of the Golgi virus described above.  Its size 
                  in memory is 912 bytes, hooking interrupt 21.  It infects 
                  .COM and .EXE programs, including COMMAND.COM, when they 
                  are executed.  Infected programs increase in size by 
                  605 bytes, though the file length increase will be hidden 
                  when Golgi 2.0 is memory resident.  The file's date and 
                  time in the DOS disk directory listing will have been 
                  altered so that the seconds field is set to "08", as with 
                  the original virus.  The following text string is 
                  unencrypted within Golgi 2.0 infected files: 
                  "[Golgi Testicles] v2.0 Copyright (c) 1993 Memory Lapse" 
                  Origin:  Unknown  September, 1993. 
       Golgi 3.0: Received in September, 1993, Golgi 3.0 is a later 
                  version of the Golgi 2.0 variant.  Its size in memory is 
                  1,120 bytes, hooking interrupt 21.  It infects .COM and 
                  .EXE programs, including COMMAND.COM, when they 
                  are executed, though it will only infect one or two files 
                  in a root directory.  Infected programs increase in size by 
                  820 bytes, though the file length increase will be hidden 
                  when Golgi 3.0 is memory resident.  The file's date and 
                  time in the DOS disk directory listing will have been 
                  altered so that the seconds field is set to "08", as with 
                  the original virus.  The following text string is 
                  unencrypted within Golgi 3.0 infected files: 
                  "[Golgi Testicles] v3.0 Copyright (c) 1993 Memory Lapse" 
                  Unlike Golgi and Golgi 2.0, Golgi 3.0 is a full stealth 
                  virus, disinfecting programs as they are read into memory. 
                  As a result, anti-viral scanning programs and checksumming 
                  programs will not be able to detect the virus in files 
                  when it is memory resident. 
                  Origin:  Unknown  September, 1993. 
       Golgi.886: Received in October, 1994, Golgi.886 or Warchild, is a 
                  886 byte version of the Golgi virus described above.  Its 
                  size in memory is 928 bytes, hooking interrupts 9 and 21. 
                  It infects .COM programs, including COMMAND.COM, when they 
                  are executed, opened, or copied.  Infected programs increase 
                  in size by 886 bytes, though the file length increase will 
                  be hidden when Golgi.886 is memory resident.  The file's 
                  date and time in the DOS disk directory listing will not 
                  appear to be altered, though the seconds field will have 
                  been set to "62".  The following text strings are visible 
                  within the viral code in all infected files: 
                  "(c) 1993 Lupus Yonderboy and The Death Squad" 
                  "Warchild" 
                  The DOS CHKDSK program will indicate file allocation errors 
                  on all infected files when the virus is memory resident. 
                  Origin:  Unknown  October, 1994. 
       Golgi.1173: Received in July, 1994, Golgi.1173 is a 1,173 version 
                  of the Golgi virus described above.  Its size in memory is 
                  2,336 bytes, hooking interrupt 21.  It infects .COM and 
                  .EXE programs, including COMMAND.COM, when they are 
                  executed.  Infected programs increase in size by 1,173 
                  bytes, though the file length increase will be hidden when 
                  Golgi.1173 is memory resident.  The file's date and time in 
                  the DOS disk directory listing will not appear to be 
                  altered, though the seconds field will have been set to 
                  "62".  The following text strings are encrypted within the 
                  viral code in all infected files: 
                  "SCAN.EXE" 
                  "SCAN" 
                  ".EXE" 
                  "[Diabolical Ingenuity] by MnemoniX" 
                  The DOS CHKDSK program will indicate file allocation errors 
                  on all infected files when the virus is memory resident. 
                  Execution of programs with the virus memory resident may 
                  result in various operational problems, including system 
                  hangs and unexpected system reboots.  Once the boot copy of 
                  COMMAND.COM becomes infected, the system may fail to boot. 
                  Origin:  Unknown  July, 1994. 
       Golgi.DEI: Received in July, 1994, Golgi.DEI is a later version of 
                  the Golgi virus described above.  Its size in memory is 
                  3,952 bytes, hooking interrupts 21 and 24.  It infects 
                  .COM and .EXE programs, including COMMAND.COM, when they 
                  are executed or opened for any reason.  Infected programs 
                  increase in size by 1,948 bytes, though the file length 
                  increase will be hidden when Golgi.DEI is memory resident. 
                  The file's date and time in the DOS disk directory listing 
                  will not be altered.  The following text strings are 
                  encrypted within the viral code in all infected files: 
                  "Devils & Evangels, Inc. [DEI] MnemoniX $ v2.50" 
                  "ANTI-VIR.DAT C:\COMMAND. COM \DEI.COM" 
                  The DOS CHKDSK program will indicate file allocation errors 
                  on all infected files when the virus is memory resident. 
                  Golgi.DEI disinfects .COM files when they are accessed, as 
                  a result, anti-viral programs which do not take this into 
                  account will be unable to locate the virus in files when it 
                  is memory resident. 
                  Origin:  Unknown  July, 1994. 
       Golgi.Oracle: Received in March, 1994, Golgi.Oracle is a later 
                  version of the Golgi virus described above.  Its size 
                  in memory is 1,024 bytes, hooking interrupt 21.  It infects 
                  .COM and .EXE programs, including COMMAND.COM, when they 
                  are executed.  Infected programs increase in size by 
                  997 bytes, though the file length increase will be hidden 
                  when Golgi.Oracle is memory resident.  The file's date and 
                  time in the DOS disk directory listing will have been 
                  altered so that the seconds field is set to "62". 
                  The following text string is unencrypted within the viral 
                  code in all infected files: 
                  "[Oracle] by MnemoniX" 
                  While the Golgi.Oracle variant infects .EXE files, the 
                  virus infected programs are unable to function properly. 
                  The virus can only be spread from infected .COM programs. 
                  Origin:  Unknown  March, 1994.

Show viruses from discovered during that infect .

Main Page