home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!charon.amdahl.com!pacbell.com!ames!sun-barr!rutgers!netnews.upenn.edu!netnews.cc.lehigh.edu!news
- From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences)
- Newsgroups: comp.virus
- Subject: Re: Need info on MONKEY virus (PC)
- Message-ID: <0008.9211161950.AA15221@barnabas.cert.org>
- Date: 13 Nov 92 22:41:11 GMT
- Sender: virus-l@lehigh.edu
- Lines: 71
- Approved: news@netnews.cc.lehigh.edu
-
- PED8C@acadvm1.uottawa.ca (Paul Deveau) writes:
-
- >Have any of you experienced the MONKEY virus? It has been propagating
- >around here recently. I have not been able to find much information
- >about this virus: How does it manifest itself? What damage may it
- >inflict? If any of you have details, would you be kind enough to
- >share them?
-
- This is a disturbing notice: it represents the first evidence of
- the Monkey virus getting beyond Edmonton, Alberta.
-
- The Monkey virus is a member of the Empire family, and a distant
- cousin of Stoned. The Empire viruses are fairly rare, worldwide,
- though they are the main virus problem in the Edmonton area, next
- maybe to Stoned.
-
- The Monkey virus has a couple curious characteristics that can
- make it particularly frustrating, if people don't know how to
- deal with it. First, Monkey doesn't save the partition table
- in place in the infected MBR of a hard disk. This means that
- if the infected system is booted from a diskette, the hard disk
- appears to be inaccessible. Any attempt to use drive C: will
- result in a "invalid drive specification" or some such error --
- I forget the exact wording!
-
- Second, and more frustrating, is that the clean MBR is encoded
- before it is saved to the hiding place (sector 3). This means
- the MBR must be decoded if one wishes to restore it directly.
- Otherwise the MBR must be restored from a backup copy, or the
- table re-entered using a partition table editor such as Norton
- Utilities. The DOS 5.0 DEBUG /MBR option simply leaves a piece
- of the virus in the partition table area. Fortunately this
- piece is not virulent; unfortunately it is not a partition
- table either!
-
- Third, the Monkey virus specifically (and successfully)
- bypasses Padgett's Disk Secure program. This virus represents
- a rare case: a very specific attack against a very specific
- disk security system. Fortunately most scanners will find
- the virus in memory. Again this stresses the importance of
- having a multi-layer antivirus strategy.
-
- Fourth, Monkey uses stealth on both the MBR and diskette boot sectors,
- stopping the system from seeing or changing them. To remove the
- virus, you MUST boot the system from a clean diskette. Or use my
- KILLMONK program: it knows how to get past this stealth.
-
- The Monkey virus has no intentional data damaging strategies.
- (Some of the Empire viruses have; in particular the one
- reported wild in the USA has.) Many of the "bugs" of most
- Stoned-derivatives have been fixed in Monkey -- the only
- problem I would forsee is if Monkey infects a 2.88Mb or
- other unusual format diskette. On the 4 common formats,
- Monkey successfully hides the clean boot sector (encoded
- again) in the bottom of the root directory. But if it doesn't
- recognize a diskette type as being one of these four, the
- boot sector is placed on side 1, sector 3. I don't know the
- 2.88Mb format, but I suspect this location is in one of the
- FAT tables.
-
- If anyone has trouble dealing with the Monkey virus, or any
- other Empire viruses, send me a note.
-
- Tim.
-
- -------------------------------------------------------------
- Tim Martin *
- Spatial Information Systems * These opinions are my own:
- University of Alberta * My employer has none!
- martin@cs.ualberta.ca *
- -------------------------------------------------------------
-
