%%File: VIRS0468.TXT
%%Name/Aliases: Int_10
%%Platform: PC/MS-DOS
%%Type: Boot sector., 
%%Disk Location: Floppy disk boot sector., Hard disk partition table.
%%Features: 
%%Damage: 
%%Size: 
%%See Also: monkey
%%Notes: v6-143: 
discovered in Canada late 1993.  payload is a graphic snowfall on the 
screen at midnight or 6 hours following boot in December, could cause 
disk corruption.  
"This  virus goes resident in 1k at the TOM and  actually  removes  
itself from the fixed disk during boot replacing the original MBR into 
sector one to  avoid  detection.  While  it eventually hooks  interrupt   
13h,  this  is  not  during  the  BIOS  load,   being  accomplished 
through DOS instead.

Once fully resident, "stealth" is used to hide the return of  the virus 
to the MBR.

While  two varients have been found so far, both may be  detected  via  
the following string in the MBR (if booted from  floppy),  a  floppy 
DBR, or in the last 1k area at the TOM if resident in RAM;

          88 85 93 02 41 41 D3 E0 80 7D 0B 00 75

At the moment this virus which has been tentatively named  INT_10 has 
been observed at a single location only."

v6-146: Killmonk 3.0 is available via ftp at ftp.srv.ualberta.ca, in the 
file pub/dos/virus/killmnk3.zip.  A small text manual, and  technical 
notes on Monkey and Int_10 are included with the  package.  I'm not a 
mail server, but if you can't do ftp, but  do know how to use uudecode, 
then I might find time to email  KillMonk 3.0 to you, if you ask nicely.  
:)  Written by Tim Martin, martin@ulysses.sis.ualberta.ca