PCBUILD Archives

Personal Computer Hardware discussion List

PCBUILD@LISTSERV.ICORS.ORG
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Monkey Virus
From:
Michael Slater <[log in to unmask]>
Reply To:
PCBUILD - PC Hardware discussion List <[log in to unmask]>
Date:
Sun, 19 Apr 1998 10:45:16 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (68 lines) 
%%File: VIRS0486.TXT%%Name/Aliases: Int_10%%Platform: PC/MS-DOS
%%Type: Boot sector.%%Disk Location: Floppy disk boot sector.
Hard disk partition table.%%Features: %%Damage: %%Size: %%See Also: monkey
%%Notes: v6-143:
discovered in Canada late 1993.  payload is a graphic snowfall on the screen
at midnight or 6 hours following boot in December, could cause disk
corruption.
"This  virus goes resident in 1k at the TOM and  actually  removes  itself
from the fixed disk during boot replacing the original MBR into sector one
to
avoid  detection.  While  it eventually hooks  interrupt   13h,  this  is
not
during  the  BIOS  load,   being  accomplished through DOS instead.
Once fully resident, "stealth" is used to hide the return of  the virus to
the
MBR.While  two variants have been found so far, both may be  detected  via
the
following string in the MBR (if booted from  floppy),  a  floppy DBR, or in
the last 1k area at the TOM if resident in RAM;
          88 85 93 02 41 41 D3 E0 80 7D 0B 00 75
At the moment this virus which has been tentatively named  INT_10 has been
observed at a single location only.

"Use KILLMONK to remove the Money virus, works great.

you can find it at http://garbo.uwasa.fi/pc/virus.html  The file name is
killmnk3.zip


At 09:57 PM 4/16/98 -0400, you wrote:
>If I remember corectly, Monkey loads itself in the boot sector of the disk
>and then starts to encode the FAT portion. As long as you boot from the
>infected disk, there's no problem because Monkey is loaded during the boot
>process and then decodes the FAT on the fly. When you boot from the floppy,
>there is nothing to decode the FAT on disk so it shows up more less as an
>unformated
>drive. I don't know of any antivirus that can actually dissinfect Monkey and
>decode the FAT again. In which case, your only option would be reformat the
>disk.
>
>Oh, and don't think Monkey is just a harmless nuissance and you can just
>live with it. When you least expect it, it will stop working and render your
>disk unreadable. Period! Then you MUST format and sacrifice all data on the
>disk.
>
>Hope this helps. Somebody let me know if I got any of the details wrong.
>It's been a while since I've dealt with Monkey.
>
>>Help!  I have a 386 which I am setting up as my second system to use
>>primarily for e-mail.  I have run McAfee Viruscan on the system and it
>>tells me I have traces of MONKEY_B Virus in memory.  It instructs to turn
>>off and start with a system-bootable disk.  No problem, I insert a system
>>disk (containing IO.SYS, MSDOS.SYS, and COMMAND.COM) which I have
>determined
>>to be virus free on another machine.  The system will boot to an "a:>"
>>prompt but when I either try to switch to "C:" as the active drive or run
>>"dir c:", I get an "invalid drive" message.
>>
>>What have I done wrong?  Do I need additional files on the boot disk?  How
>>do I get this "MONKEY" off my back?
>>
>>TIA for any help coming down the line.
>--
>Adam Gonsman
>[log in to unmask]
>
>

ATOM RSS1 RSS2