![[Previous]](/Icons/BTN_Prev.gif){kind=icon}
![[Up]](/Icons/BTN_Up.gif){kind=icon}
![[Home]](/Icons/BTN_Home.gif){kind=icon}
![[Next]](/Icons/BTN_Next.gif){kind=icon}
|
|
|
|
Monkey is a new boot sector virus, reported to be at large in Europe. Two samples were sent for analysis, differing in both content and the location of various sections of code. However, they are undoubtedly variants of the same virus, presumably written by the same individual. Monkey has no trigger routine, but can cause serious damage, due to the method of operation. Its name is contained at the end of the code in both samples, hidden by a simple encryption routine.
This virus infects the Master Boot Sector of fixed disks when they are booted from an infected diskette. Processing begins by initialising the various code parameters needed. A request for available memory size is issued to the BIOS: one Kbyte is removed from the top of RAM, and the original system Int 13h vector is collected into the virus code. The virus' Int 13h interception routine is then hooked into the system, and a segment address is calculated, relocating the virus code to the top of memory. Next, the MBS of the first fixed drive is read into memory. Should signs of infection be found, the virus identifies where the original MBS is stored, reads it into memory, decrypts it, and returns control to the MBS, enabling booting to continue. If the fixed disk MBS is clean, the virus infects it, storing an encrypted copy of the original.
'Encryption' is rather a grandiose description: in both versions, each byte in the sector is simply XOR-ed with a value of 2Eh. This may be an attempt to make disinfection more difficult, but will present no difficulty to a good detection/disinfection program.
Once hooked, the virus intercepts requests to the disk access services. The infection routine is only called during 25% of read requests, making it slightly more difficult for the virus to replicate. Requests for read access to sector 1 or 2, head 0 on fixed disks or head 1 on floppies are routed through a routine which completes the request and examines the sector to see whether it is infected. If it is, the original MBS is collected and decrypted before returning to the calling routine. Requests for write access to the same sectors are treated slightly differently: a request to write to sector 1 or 2 of head 0 on a fixed disk is changed to a disk reset command, preventing virus code from being overwritten.
Before attempting to infect the fixed disk, two checks are made. The first check is simply to prevent an attempt to infect an already infected disk. The second is more interesting: the virus appears to look for a specific type of boot sector (which may be part of an anti-virus package) and modifies its operations accordingly.
This first test is made by searching for the value 9219h at offset 01FAh in the MBS. If this is found, the infection routine is aborted. Should the first flag value not be found, the second is examined (see below). If it is not present, the virus writes a copy of its code to the MBS, and encrypts the existing MBS before writing it to an alternative sector (though always on Track 0). The position of this sector varies for different media:
Head Sector
360k floppy 1 3
720k floppy 1 5
1.2M floppy 1 14
1.44M floppy 1 14
Fixed Disk 0 3
On floppy disks, these positions represent the final sector of the root directory, and infection by the virus will destroy any file entries stored there.
The function of the second flag is more interesting. If the MBS contains the value 6150h at offset 0119h, the virus treats the second sector of the disk as if it were the MBS, writing the virus code to this sector.
The flag value of 6150h can be interpreted as the ASCII letters 'Pa': this may be part of the word 'Partition' which often appears in MBS code. This check appears to be an attempt to bypass a boot protection mechanism. If such a system is encountered, it is likely that infection will be unsuccessful, as the virus contains a serious bug which causes the machine to hang.
|
|
|
|
![[VB]](/Icons/vb-tiny.gif){kind=icon}
|
Virus Bulletin: Empire.Monkey / webmaster@virusbtn.com | © 1998 Virus Bulletin Ltd. |