Virus:Boot/Stoned.Monkey

Classification

Category :

Malware

Type :

Virus

Platform :

Boot

Aliases :

Virus:Boot/Stoned.Monkey, Stoned.Monkey

Summary

The Stoned.Monkey virus was first discovered in Edmonton, Canada, in the year 1991. The virus spread quickly to USA, Australia and UK. Monkey is one of the most common boot sector viruses.

Removal

The relocation and encryption of the partition table renders two often-used disinfection procedures unusable:

1. The MS-DOS command FDISK /MBR, which is capable of removing most viruses that infect Master Boot Records.

2. Using a disk editor to restore the Master Boot Record back on the zero track.

Although both of these procedures destroy the actual virus code, the computer cannot be booted from the hard disk afterwards.

There are five different ways to remove the Monkey virus:

Method 1

The original Master Boot Record and partition table can be restored from a backup taken before the infection. Such a backup can be made by using, for example, the MIRROR /PARTN command of MS-DOS 5.

Method 2

The hard disk can be repartitioned by using the FDISK program, after which the logical disks must be formatted. All data on the hard disk will consequently be lost, however.

Method 3

The virus code can be overwritten by using FDISK/MBR, and the partition table restored manually. In this case, the partition values of the hard disk must be calculated and inserted in the partition table with the help of a disk editor. The method requires expert knowledge of the disk structure, and its success is doubtful.

Method 4

It is possible to exploit Monkey's stealth capabilities by taking a copy of the zero track while the virus is active. Since the virus hides the changes it has made, this copy will actually contain the original Master Boot Record. This method is not recommendable, because the diskettes used in the copying may well get infected.

Method 5

The original zero track can be located, decrypted and moved back to its proper place. As a result, the hard disk is restored to its exact original state. F-Secure anti-virus products use this method to disinfect the Monkey virus.

Note: When disinfecting Monkey with F-PROT after a floppy boot, use the command F-PROT /HARD /DISINF instead of using F-PROT C:, or just run F-PROT in interactive mode and scan 'Hard disk' with disinfection option on. After disinfection, error message 'No hard disk found' is normal: just reboot after the disinfection is done and you should see your hard drive again.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

As the name indicates, Monkey is a distant relative of Stoned. Its technical properties make it quite a remarkable virus, however. The virus infects the Master Boot Records of hard disks and the DOS boot records of diskettes, just like Stoned. Monkey spreads only through diskettes.

Monkey does not let the original partition table remain in its proper place in the Master Boot Record, as Stoned does. Instead it moves the whole Master Boot Record to the hard disk's third sector, and replaces it with its own code. The hard disk is inaccesible after a diskette boot, since the operating system cannot find valid partition data in the Master Boot Record - attempts to use the hard disk result in the DOS error message "Invalid drive specification".

When the computer is booted from the hard disk, the virus is executed first, and the hard disk can thereafter be used normally. The virus is not, therefore, easily noticeable, unless the computer is booted from a diskette.

The fact that Monkey encrypts the Master Boot Record besides relocating it on the disk makes the virus still more difficult to remove. The changes to the Master Boot Record cannot be detected while the virus is active, since it rerouts the BIOS-level disk calls through its own code. Upon inspection, the hard disk seems to be in its original shape.

It is difficult to spot the virus, since it does not activate in any way. A one-kilobyte reduction in DOS memory is the only obvious sign of its presence. The memory can be checked with, for instance, DOS's CHKDSK and MEM programs. However, even if MEM reports that the computer has 639 kilobytes of basic memory instead of the more common 640 kilobytes, it does not necessarily mean that the computer is infected. In many computers, the BIOS allocates one kilobyte of basic memory for its own use.

The Monkey virus is quite compatible with different diskette types. It carries a table containing data for the most common diskettes. Using this table, the virus is able to move a diskette's original boot record and a part of its own code to a safe area on the diskette. Monkey does not recognize 2.88 megabyte ED diskettes, however, and partly overwrites their File Allocation Tables.