Infected goat

The goat file infected by Diamond.1050, showing the current size versus the original size.

The Goat file is a sacrificial program file that is used for computer virus testing. It is usually filled with a dump of runnable but useless code such as NULL (ASCII 0), NOP (ASCII 90h) or scrambled code. The main benefit to the researcher is these goat files can be deleted after researching, and since it does not have other special function to the system, using goat files instead of typical program files may minimize the loss.

The goat file can be said is the best host for collecting computer viruses, unless those having encryption routines, and because of the extremely high contrast between the structure of the code in host program and the viral code, it reduces the time of finding the virus within the binary.

There are several goat file generators available such as RoseGoat that can generate a number of goat files in different size, the user may also customize the size of the file that to be generated.

Some goat files may print a message claiming its original size, this make ease of identifying the file has been infected or not. But not every virus has the same behavior, some tricks are still needed.

Timestamp change

In normal cases, a program execution does not modify the content of the host program so that the timestamp would not be changed at anyway. In case a change on it, while the file has not been recently modified by any user or the system, then it can be said that this file has been infected by a virus.

Stealth virus

Some virus may hide itself by subtracting its infection size from the infected files so that they would show the original size under file listing command, but it is still noticeable if the infection size is variable or the virus would change the timestamp.

The simplest detection method is to reset the computer, this would unload the TSR code of the virus. On next session the actual file size may be shown, indicating which file(s) has(have) been infected.

Advanced skills might be required if the MBR is infected.

Overwriting virus

Some viruses overwrite files instead of appending their code into the host program, there are mainly 2 types of file overwriting:

  • File head overwriting
  • File replacement overwriting

It is relatively harder to find out a file which is file head overwritten, but the timestamp of those files is usually changed, they can still be detected by noticing this. But a program execution is still the fastest detection method, but precautions must be taken.

For file replacement overwriting, the size of the infected file would become the infection size.

Execution problem

If a goat file fails to execute or even hang the system during runtime, it might be concluded that this file has been infected by a virus.

Range of file size

Some viruses does not infect files having their size in a specified range, such as those smaller than 1,000 bytes for example. If the size of a goat file is smaller than this limit, that it will not be infected, but it cannot be concluded that "this virus does not infect goat files", having a set of goat files in a large range of sizes is always recommended.

Goat file detection

Some viruses may detect whether a file to be run is a goat, if yes the virus does not infect it. In this case a goat file containing runnable random but useless commands may be a solution, if the virus still detected it, an actual program would be the last choice, make a copy of this program before testing.