************************************************************************** Security Bulletin 9427 DISA Defense Communications System November 14, 1994 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9427.) ************************************************************************** FOLLOW UP: Virus Alert: MONKEY Here is some additional information on the Monkey Virus provided by ASSIST. It appears that most updated virus detection programs will detect the virus. Virus Name: Monkey Aliases: V Status: Rare Discovered: October, 1992 Symptoms: BSC; master boot sector altered; decrease in total system and available free memory; possible diskette directory corruption; "Invalid drive specification" on C: drive after boot from system diskette. Origin: Unknown Eff Length: N/A Type Code: BRtX - Resident Boot Sector & Master Boot Sector Infector Detection Method: ViruScan, UTScan, F-Prot, VNet, Sweep, VBuster, IBMAV, AVTK, NAV, Vi-Spy, CPAV, VirexPC, PCRX Removal In- structions: Norton Disk Doctor on hard disk, DOS SYS on system diskettes. General Comments: The Monkey virus was submitted in October, 1992. Monkey is a memory resident infector on the hard disk master boot sector (partition table) and the boot sector of diskettes. it is a stealth virus, hiding the infection of the hard disk and diskettes when it is memory resident. The first time the system is booted with a diskette infected with the Monkey virus, the Monkey virus will become memory resident and also infect the system hard disk's master boot sector. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 1,024 bytes. The virus moves interrupt 12's return to 9FC0. On the system hard disk, the virus will write one sector of viral code at Side 0, Cylinder 0, Sector 3, and then alter the master boot sector to point this sector. Once the Monkey virus is memory resident, it will infect non-write protected diskettes when they are accessed on the system. On 360K 5.25" diskettes, the virus will write a sector code at Sector 11, the last sector of the root directory, and then alter the boot sector. On 1.2M 5.25" diskettes, the sector of viral code is at sector 28 (also the last sector of the root directory). If directory entries were originally located in the directory sectors overwritten the corresponding files will become inaccessible. Monkey is a stealth virus, and cannot be detected on either the system hard disk or diskettes when it is a memory resident. Disinfection is hampered further in that the system hard disk will be inaccessible following booting the system from a clean write protected system diskette, resulting in an "Invalid drive specification" message. Norton Disk Doctor can be used to remove the Monkey virus from the system hard disk by rebuilding the master boot sector. The DOS SYS command can be used to replace the boot sector on infected system diskettes. HyperText VSUM Copyright (c) 1990-94 by Patricia M. Hoffman (408) 988-3773 *********************************************************************** *********************************************************************** *********************************************************************** Name: Monkey Type: Boot MBR Stealth The Monkey virus was first discovered in Edmonton, Canada, in the year 1991. The virus spread quickly to USA, Australia and UK. Monkey is one of the most common boot sector viruses. As the name indicates, Monkey is a distant relative of Stoned. Its technical properties make it quite a remarkable virus, however. The virus infects the Master Boot Records of hard disks and the DOS boot records of diskettes, just like Stoned. Monkey spreads only through diskettes. Monkey does not let the original partition table remain in its proper place in the Master Boot Record, as Stoned does. Instead it moves the whole Master Boot Record to the hard disk's third sector, and replaces it with it own code. The hard disk is inaccessible after a diskette boot, since the operating system cannot find valid partition data in the Master Boot Record - attempts to use the hard disk result in the DOS error message "Invalid drive specification". When the computer is booted from the hard disk, the virus is executed first, and the hard disk can thereafter be used normally. The virus is not, therefore, easily noticeable, unless the computer is booted from a diskette. The fact that Monkey encrypts the Master Boot Record besides relocating it on the disk makes the virus still more difficult to remove. The changes to the Master Boot Record cannot be detected while the virus is active, since it reroutes the BIOS-level disk calls through its own code. Upon inspection, the hard disk seems to be in its original shape. The relocation and encryption of the partition table render two often-used disinfection procedures unviable. One of these is the MS-DOS command FDISK /MBR, capable of removing most viruses that infect Master Boot Records. The other is using a disk editor to restore the Master Boot Record back on the zero track. Although both of these procedures destroy the actual virus code, the computer cannot be booted from the hard disk afterwards. There are five different ways to remove the Monkey virus: 1. The original Master Boot Record and partition table can be restored from a backup taken before the infection. Such a backup can be made by using, for example, the MIRROR /PARTN command of MS-DOS 5. 2. The hard disk can be repartitioned by using the FDISK program, after which the logical disks must be formatted. All data on the hard disk will consequently be lost, however. 3. The virus code can be overwritten by using FDISK/MBR, and the partition table restored manually. In this case, the partition values of the hard disk must be calculated and inserted in the partition table with the help of a disk editor. The method requires expert knowledge of the disk structure, and its success is doubtful. 4. It is possible to exploit Monkey's stealth capabilities by taking a copy of the zero track while the virus is active. Since the virus hides the changes it has made, this copy will actually contain the original Master Boot Record. This method is not recommendable, because the diskettes used in the copying may well get infected. 5. The original zero track can be located, decrypted and moved back to its proper place. As a result, the hard disk is restored to its exact original state. F-PROT uses this method to disinfect the Monkey virus. It is difficult to spot the virus, since it does not activate in any way. A one-kilobyte reduction in DOS memory is the only obvious sign of its presence. The memory can be checked with, for instance, DOS's CHKDSK and MEM programs. However, even if MEM reports that the computer has 639 kilobytes of basic memory instead of the more common 640 kilobytes, it does not necessarily mean that the computer is infected. In many computers, the BIOS allocates one kilobyte of basic memory for its own use. The Monkey virus is quite compatible with different diskette types. It carries a table containing data for the most common diskettes. Using this table, the virus is able to move a diskette's original boot record and a part of its own code to a safe area on the diskette. Monkey does not recognize 2.88 megabyte ED diskettes, however, and partly overwrites their File Allocation Tables. [Analysis by Mikko Hyppnen / Data Fellows Ltd] Copyright (c) 1989-1994, Frisk Software International *********************************************************************** *********************************************************************** *********************************************************************** For further information, contact Kyra Jenkins at DISA, 703-692-8883 or E-mail jenkinsk@cc.ims.disa.mil. **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * ****************************************************************************