home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!ukma!darwin.sura.net!newsserver.jvnc.net!netnews.upenn.edu!netnews.cc.lehigh.edu!news
- From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences)
- Newsgroups: comp.virus
- Subject: Re: Monkey [Mon] and Multi-2 [M12] viruses (PC)
- Message-ID: <0012.9301271940.AA16908@barnabas.cert.org>
- Date: 15 Jan 93 23:18:38 GMT
- Sender: virus-l@lehigh.edu
- Lines: 65
- Approved: news@netnews.cc.lehigh.edu
-
- LIBBIE@pucc.PRINCETON.EDU (Libbie Counselman) writes:
-
- >We have been using and supporting F-Prot 2.06a on campus, but have
- >discovered 2 viruses that are not detected and not disinfected by
- >F-Prot.
-
- >The first one discovered was the Monkey [Mon] virus. It affects the
- >File Allocation Table. SCAN discovers it, but does not disinfect, but
- >Norton Disk Doctor will recover the clean FAT.
-
- I've posted a lot of notes in the past, about Monkey, so you may
- want to check the archives. Monkey doesn't infect the FAT; nothing
- does. It infects the main boot record (MBR) of a hard disk, and
- the boot sector of a floppy. The main twists Monkey has that make
- it different from Stoned are that 1. it doesn't keep the partition
- table in place in the MBR, and 2. it encodes the MBR before it hides
- it (in this case in sector 3 on the hard disk.) Because the partition
- table isn't in place, when you boot from a floppy you can't see the
- hard drive partitions, so any attempt to change to drive C: for
- example results in a "invalid drive specification" error. Because
- the MBR is encoded before it is hidden, general scanner/disinfector
- packages can't find the proper partition table values to recover the
- MBR properly. F-prot will find it on floppies, and call it "a new
- variant of stoned", but will not clean it.
-
- It has other twists, such as stealth, as well.
-
- I would like to know what you mean when you say that Norton Disk Doctor
- will recover the clean FAT. The FAT was clean all along. The problem
- is not to recover the FAT but to find appropriate values for the
- partition table. If NDD manages to do this, from a Monkey-infected
- hard disk, I am impressed. Actually one can take advantage of Monkey's
- stealth to get the proper partition table values. If you know a hard
- disk is infected with Monkey, you can boot the computer from the
- hard disk, so the virus is active, and use Norton Utilities or some
- such to see what the proper partition table values are. While the
- virus is active, a request to read the MBR sector (sector 1 of side 0,
- cylinder 0) will return the MBR (sector 3), properly decoded, instead
- of the virus sector. Copy down the proper table values, reboot from
- a clean floppy, use fdisk /mbr (with DOS 5.0) to reinstall the
- MBR executable code portion, and use Norton Utilities or whatever
- to type in the correct partition table data.
-
- >The second is known as Multi-2 [M12]. It has a predecessor called
- >Multi [M-123], also not recognized by F-Prot. This one infects .COM
- >files, .EXE files, overlays and becomes memory resident. CLEAN
- >apparently disinfects it.
-
- I don't know this one.
-
- >Does anyone know any non-commercial packages (i.e. shareware or freeware)
- >that can combat these viruses?
-
- I have written a program called Killmonk that should get rid
- of the Monkey virus. Killmonk is at several of the ftp
- sites, but let me know if you can't find it.
-
- Tim.
-
- -------------------------------------------------------------
- Tim Martin *
- Spatial Information Systems * These opinions are my own:
- University of Alberta * My employer has none!
- martin@cs.ualberta.ca *
- -------------------------------------------------------------
-
