Virus Name: MONKEY.A, MONKEY.B (Empire variants) V Status: Common in Edmonton, Canada; and several places globally. Discovery: February, 1992 Symptoms: Memory reduction, hard drive partitions not accessible on floppy bootup. Origin: Alberta, Canada Eff. Length: 512 bytes Type Code: BPRtS (Boot and Partition table infector - Resident TOM - Stealth) Detection: CHKDSK, F-PROT, CHKSEC from Disk Secure 1.15, KILLMONK Removal: Cold boot from clean, write-protected floppy, replace MBR (hard disk) or Boot Sector (floppy). General Comments: The Monkey viruses are Main Boot Record / Boot Sector infectors, derived from the Empire D virus. Two variants of the Monkey virus have been identified: their most obvious difference is in the initial bytes at offset 0: Monkey.1: E9 CD 01 (JMP 02D0) Monkey.2: EB 1E 90 (JMP 0020 ; NOP) Both variants keep the original sector's data at offset 03h - 1fh. In boot sectors, this region contains data required to identify the diskette format. This solves the problem noticed with earlier variants of Empire, whereby infected 720k diskettes were sometimes unreadable. The Monkey viruses take 1k from the top of memory. When active, total memory will be reduced by 1024 bytes. The virus installs itself at offset 200h in the 1k memory block. The Monkey viruses use stealth to protect both the MBR and diskette boot sectors. When active in memory, Int 13h calls cannot access the infected sector of either hard disks or floppies. The Monkey viruses are not polimorphic. They do not encode any of the virus, as was done by some of the earlier Empire variants. But before saving the clean MBR or boot sector to a hiding place, the Monkey viruses do encode that sector, using an "XOR 2Eh". This creates a problem for disinfecting programs that recover the initial boot sector or MBR by copying it from the hiding place. Typical of MBR infectors, Monkey infects the MBR of the first hard disk when the computer is "booted" from an infected diskette. The encoded MBR is put at side 0, cylinder 0, sector 3. On a computer with two hard disks, the second hard disk is infected later, any time it is accessed, the same way diskettes get infected. When a floppy diskette is infected, the original boot sector is placed in the bottom sector of the root directory. This means directory entries will be lost only if the root directory is nearly full -- more than 96 entries on double density diskettes, or more than 208 entries on high density diskettes. The virus is designed to identify only the four most common diskette formats. If the diskette is not of a recognized format, the boot sector is put on side 1, sector 3. I have no idea what would happen to a 2.88Mb diskette, but I suspect the virus would damage the File Allocation Table, causing loss of data. The Monkey viruses do not put any messages to the screen at any time, but the virus code does contain, encrypted, the string "Monkey", followed by bytes 1992h. It may be significant that the chinese Year of the Monkey began in February 1992. The most remarkable characteristic of the Monkey viruses is that they were designed as an attack on early versions of Padgett Peterson's "Disk Secure" product. When a computer is booted from an infected diskette, the virus first checks whether DiskSecure is on the hard disk. If it is, the virus puts itself in sector 2, rather than sector 1, and slightly modifies DiskSecure, so that DiskSecure will load the virus after DiskSecure has checked the system and loaded itself. The Monkey viruses install themselves above DiskSecure, in memory, at offset 200h. The Monkey viruses do not save the partition table data in place, so if an infected system is booted from a clean boot disk, DOS claims to be unable to access the hard drive partitions. A "DIR C:" command will return "Invalid drive specification". Detection: The simplest detection still involves recognizing a 1k decrease in memory. CHKDSK and MEM will return 1k less "total conventional memory" than normal. The latest versions of good virus scanners should identify the Monkey viruses on hard disks and diskettes, or in memory. Some scanners will not scan an infected hard drive's MBR for the virus because DOS can't see the partitions on the drive. DiskSecure II detects and removes Monkey. A special program to find and remove the Monkey viruses, called KillMonk, has been written at the University of Alberta and is available via ftp from several sites. The latest version is 3.0, packaged as KILLMNK3.ZIP. Removal: Some scanners may remove Monkey from a system's hard disk. As far as I know, only KillMonk 3.0 will remove the virus from a second hard disk, if present. The undocumented /MBR option of FDISK does remove the Monkey virus from the MBR, provided the computer was booted from a clean floppy, but it does not restore the correct partition table values. The problem is that the partition table is not in place in sector one; the table is encoded, in sector 3. If you have previously saved a copy of the clean MBR, then it can be restored. (Many anti-virus products have an automated way of doing this.) If you don't have a copy of the original MBR, and don't know what values your partition table should have, then KillMonk 3.0 should do the cleanup for you. Earlier versions of KillMonk will fail. To restore diskettes: Padgett Peterson's FIXFBR works very well, though it doesn't recognize that the disk is infected. KillMonk, and the latest versions of good scanners should work as well. Scan String: The following hexidecimal string is in both variants of Monkey. It is from the code the virus uses to recognize itself. 26 81 bf fa 01 19 92 c3 26 81 bf 19 01 50 61 Tim --------------------------------------------------------------- Tim Martin * Spatial Information Systems * These opinions are my own: University of Alberta * My employer has none! martin@ulysses.sis.ualberta.ca * ---------------------------------------------------------------