home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!charon.amdahl.com!pacbell.com!ames!sun-barr!rutgers!netnews.upenn.edu!netnews.cc.lehigh.edu!news
- From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences)
- Newsgroups: comp.virus
- Subject: Re: SCAN Ver 97 & Monkey Virus (PC).
- Message-ID: <0012.9211161950.AA15221@barnabas.cert.org>
- Date: 14 Nov 92 22:36:16 GMT
- Sender: virus-l@lehigh.edu
- Lines: 73
- Approved: news@netnews.cc.lehigh.edu
-
- webbew@aron01.gs.com (William Webber) writes:
-
- >I have recently found one of my many DOS PC's and an OS/2 PC plus
- >diskettes infected with the Monkey virus. The virus was identified
- >using SCAN ver 97 and displayed the virus code as being of type [Mon].
- >It could not be removed with CLEAN because CLEAN found the virus code
- >active in memory and suggested the PC should be booted from a clean
- >copy of DOS and run SCAN to check the extent of the infection. When I
- >did this, SCAN could not access the hard disk because DOS had not
- >loaded the block disk device driver as the partition table had been
- >seriously modified.
-
- Oh, no, not another one. Please, where is aron01.gs.com?
- If it's not in Edmonton, then I'm afraid Monkey is getting
- around.
-
- SCAN can't access the hard disk file system, but CLEAN should
- be able to access the virus and the hidden, proper MBR. I
- don't know if CLEAN v97 can remove Monkey, though.
-
- Monkey complicates the removal process in three ways:
- 1. the partition table isn't saved in the virus body, so
- FDISK /MBR won't work. Nor will Norton's NDD. And
- booting from a floppy means you can't read/use the hard disk
- file systems.
- 2. The clean MBR is encoded before it is stashed away in sector 3.
- This trips up software like Padgett's FixMBR (or whatever it's
- called - sorry Padgett!) because FixMBR can't find a proper
- partition table when it scans the "hidden" sectors.
- Any scanner/cleaner software that grabs the MBR from the
- hiding place (sector 3) must decode it before writing it
- to sector 1.
- 3. The virus uses stealth against reads and writes of sector 1,
- which is why it can't (easily) be removed while resident.
-
- Because Monkey has been assumed to be a rare virus, found only in
- the Edmonton area, and we have ways to deal with it here (KILLMONK),
- and cleaning a Monkey infection isn't as trivial as cleaning a
- Stoned or Michelangelo infection, I think some of the anti-virus
- software writers haven't made it a priority to add routines to
- remove Monkey.
-
- Technical: how to clean Monkey:
- The proper partition table is still in the proper MBR, which is
- encoded, in sector 3 of side 0, track 0. The encoding (assuming
- what you have is one of the two known variants of Monkey) is a
- simple XOR 2Eh on every byte of the sector. To recover the disk,
- then, you must read side 0 track 0 sector 3, (using Int 13h, from
- a clean boot) decode every byte with an XOR 2Eh, and if the result
- looks like a proper MBR, write the result to side 0 track 0 sector 1.
- It can all be done with debug, assuming you have debug on a floppy,
- and you know what you are doing.
-
- But it isn't trivial, so instead you might want to get a copy of
- my KILLMONK program, which does that and more for you. It uses
- some careful identification strings, checks that the recovered MBR
- is correct, etc. Also makes scanning and cleaning of floppies
- easy. And strictly speaking, it doesn't require a clean boot, as
- long as the only virus messing things up at the time is Monkey.
-
- I think KILLMONK may have been posted at some of the ftp sites.
- If you can't find it, or want me to send it (uuencoded) via
- e-mail, drop me a note. (It's free of course, and worth every
- virtual cent!)
-
- Tim.
-
- -------------------------------------------------------------
- Tim Martin *
- Spatial Information Systems * These opinions are my own:
- University of Alberta * My employer has none!
- martin@cs.ualberta.ca *
- -------------------------------------------------------------
-
