%%File: VIRS0553.TXT
%%Name/Aliases: Monkey, Mon
%%Platform: PC/MS-DOS
%%Type: Boot sector., 
%%Disk Location: Floppy disk boot sector., Hard disk partition table.
%%Features: Stealth; actively hides from detection.
%%Damage: Corrupts floppy disk boot sector, Corrupts hard disk boot 
sector, Corrupts boot sector
%%Size: 
%%See Also: Int_10,  Mon,  Stoned.Empire.Monkey
%%Notes: Hides original partition table on cylinder 0, head 0, sector 3, 
and XOR's it with hex 2E (a "." character)

SYS won't write a clean boot sector with Monkey, since it's a MBR 
infector.  SYS works with floppies only
Usually, most MBR viruses are removed with FDISK /MBR (dos 5.0 or up) 
but that doesn't work with Monkey because the Partition Table info in 
the MBR is not preserved.

Program available (Nov 5, 1993) KillMonk v3.0 finds and removes the 
Monkey and Int_10 viruses. via ftp at ftp.srv.ualberta.ca, in the file 
pub/dos/virus/killmnk3.zip. The program claims it can also fix drives 
where the user has tried to use fdisk/mbr first.

It's a very small virus, one sector, memory resident, MBR/stealth virus.  
it:
1. Tries to hide the virus infection - if you go to read the MBR, it 
redirects your inquiry and shows you the real MBR, not the virused one
2. Virus saves boot record, but masks it with character "2E" (which 
looks like a dot) and XOR's it, so to remove the virus you must un XOR 
(unmask) the real MBR.
First version of Data Physician Plus! to find it is 3.1C
12/13/93: Karyn received one unconfirmed report that Data Physician 
Plus! 4.0B did not locate one variant of Monkey.

v6-146: Killmonk 3.0 is available via ftp at ftp.srv.ualberta.ca, in the 
file pub/dos/virus/killmnk3.zip.  A small text manual, and  technical 
notes on Monkey and Int_10 are included with the  package.  I'm not a 
mail server, but if you can't do ftp, but  do know how to use uudecode, 
then I might find time to email  KillMonk 3.0 to you, if you ask nicely.  
:)  Written by Tim Martin, martin@ulysses.sis.ualberta.ca