Virus Name: GoldGeld
V Status: Rare
Discovered: January, 1993
Symptoms: .COM & .EXE growth; decrease in total system & available free
Eff Length: 612 Bytes
Type Code: PRtAK - Parasitic Resident .COM & .EXE Infector
Detection Method: F-Prot, ViruScan, Sweep, AVTK, IBMAV,
NAVDX, VAlert, NAV, PCScan, ChAV,
NShld, Sweep/N, AVTK/N, NProt, IBMAV/N, Innoc, NAV/N,
Removal Instructions: Delete infected files
The GoldGeld virus was submitted in January, 1993, and appears to
be from Germany. GoldGeld is a memory resident infector of .COM
and .EXE programs, including COMMAND.COM. Some anti-viral programs
may identify it as a PS-MPC based virus since it uses a similar
When the first GoldGeld infected program is executed, the GoldGeld
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary, moving interrupt 12's
return. Total system and available free memory, as indicated by the
DOS CHKDSK program, will have decreased by 2,048 bytes. Interrupt
21 will be hooked by GoldGeld in memory.
Once the GoldGeld virus is memory resident, it will infect .COM
and .EXE programs when they are executed. Infected programs will
have a file length increase of 612 bytes with the virus being
located at the end of the file. The program's date and time in the
DOS disk directory listing will not be altered. The following text
string is encrypted within the GoldGeld viral code:
"Es ist nicht alles Gold, was gl„nzt!
The text string "EEK" can be found unencrypted within the viral
code in all infected programs.
It is unknown what GoldGeld does besides replicate.