%%File: VIRS0486.TXT%%Name/Aliases: Int_10%%Platform: PC/MS-DOS
%%Type: Boot sector.%%Disk Location: Floppy disk boot sector.
Hard disk partition table.%%Features: %%Damage: %%Size: %%See Also: monkey
%%Notes: v6-143:
discovered in Canada late 1993. payload is a graphic snowfall on the screen
at midnight or 6 hours following boot in December, could cause disk
corruption.
"This virus goes resident in 1k at the TOM and actually removes itself
from the fixed disk during boot replacing the original MBR into sector one
to
avoid detection. While it eventually hooks interrupt 13h, this is
not
during the BIOS load, being accomplished through DOS instead.
Once fully resident, "stealth" is used to hide the return of the virus to
the
MBR.While two variants have been found so far, both may be detected via
the
following string in the MBR (if booted from floppy), a floppy DBR, or in
the last 1k area at the TOM if resident in RAM;
88 85 93 02 41 41 D3 E0 80 7D 0B 00 75
At the moment this virus which has been tentatively named INT_10 has been
observed at a single location only.
"Use KILLMONK to remove the Money virus, works great.
you can find it at http://garbo.uwasa.fi/pc/virus.html The file name is
killmnk3.zip
At 09:57 PM 4/16/98 -0400, you wrote:
>If I remember corectly, Monkey loads itself in the boot sector of the disk
>and then starts to encode the FAT portion. As long as you boot from the
>infected disk, there's no problem because Monkey is loaded during the boot
>process and then decodes the FAT on the fly. When you boot from the floppy,
>there is nothing to decode the FAT on disk so it shows up more less as an
>unformated
>drive. I don't know of any antivirus that can actually dissinfect Monkey and
>decode the FAT again. In which case, your only option would be reformat the
>disk.
>
>Oh, and don't think Monkey is just a harmless nuissance and you can just
>live with it. When you least expect it, it will stop working and render your
>disk unreadable. Period! Then you MUST format and sacrifice all data on the
>disk.
>
>Hope this helps. Somebody let me know if I got any of the details wrong.
>It's been a while since I've dealt with Monkey.
>
>>Help! I have a 386 which I am setting up as my second system to use
>>primarily for e-mail. I have run McAfee Viruscan on the system and it
>>tells me I have traces of MONKEY_B Virus in memory. It instructs to turn
>>off and start with a system-bootable disk. No problem, I insert a system
>>disk (containing IO.SYS, MSDOS.SYS, and COMMAND.COM) which I have
>determined
>>to be virus free on another machine. The system will boot to an "a:>"
>>prompt but when I either try to switch to "C:" as the active drive or run
>>"dir c:", I get an "invalid drive" message.
>>
>>What have I done wrong? Do I need additional files on the boot disk? How
>>do I get this "MONKEY" off my back?
>>
>>TIA for any help coming down the line.
>--
>Adam Gonsman
>[log in to unmask]
>
>
|