Norton AntiVirus

What is the MONKEY Virus?

The Monkey virus is considered a BOOT virus because it infects the Master
Boot Record of the hard drive.  The Monkey virus moves the original
information of the master boot record (also known as the partition table) to
another location on the hard drive.  The data that was at this location is
now overwritten with the relocation of the boot record data.  When active,
the Monkey virus will decrease system memory and at that time may hang the
computer system.  In all cases the virus will move the master boot record of
the hard drive to another location. Because of this, if you do not repair the
virus completely the hard drive can become corrupted.

How does the MONKEY Virus Spread?

All floppies have a boot sector, even if they are non-system (non-bootable)
diskettes.  Anytime you start or reset the computer with a system (bootable)
or non-system (non-bootable) diskette, the computer will read the boot sector
of the diskette.  Since the Monkey virus is contained in the boot sector, the
virus will activate, load into memory and then infect the hard drive.  You will
not see this activity at all, it happens so quickly that you will either see
an error message such as non-system disk or disk error, or the computer
system will boot up to the A: drive.  Regardless, if you boot or attempt to
boot from a Monkey-infected diskette the hard drive will become infected.

After the hard drive is infected, the virus will load into memory each time
you boot the system. Each time the system accesses a floppy diskette, the
Monkey virus will infect its boot record. You can see how easy it is to pass
a virus from one system to another.

How to repair the Hard Drive if it is Infected with the MONKEY Virus:

One way of finding out if you have the Monkey virus is to cold boot your
system from an uninfected system diskette, and then try to access the hard
drive.  If the hard drive is infected with the Monkey virus, DOS returns the
message "invalid drive specification."  Since the virus is not active in
memory, DOS cannot find the partition table.

If you know you have the Monkey virus, you can repair it using any one
of the following methods:









How to repair the Hard Drive if it is Infected with the MONKEY Virus: 
[Continued]

1.	Norton AntiVirus 3.0 Installation Diskette #1
	*	Power off the computer, and then boot the system from drive
                A: on an uninfected, write-protected DOS system (bootable)
                diskette which exactly matches the version of DOS installed
                on the hard drive.

	*	Insert the Norton AntiVirus 3.0 install diskette #1 into the
                A: or B: drive.

	*	Type NAV, and then press Enter.
		Nav will not list any hard drives available for scanning.
                Nav will find the Monkey virus when it does the initial
                memory and boot record scan.

	*	Press Enter to start scanning.  Nav will alert you that it
                has found the Monkey virus. Follow the prompts to repair the
                virus.

2.	Norton AntiVirus 3.0 Rescue Diskette 

	*	Power off the computer, and then boot the system from a
                NAV 3.0 RESCUE diskette. Note that the diskette must have
                been created on the infected system before the infection
                occurred, and that any changes made to the system after the
                creation of the rescue disk, such as a DOS upgrade or a
                repartitioning of the hard drive, will render the rescue disk
                invalid.

	*	From the A: prompt, type RESCUE and then press Enter.
	*	Select Restore and choose both the Boot Record and Partition
                Table Information, and press Enter.

3.	Norton AntiVirus version 2.1 Rescue Diskette
	*	Power off the computer, and then boot the system from drive
                A: on an uninfected, write-protected DOS system (bootable)
                diskette which exactly matches the version of DOS installed
                on the hard drive.

	*	Insert a NAV 2.1 RESCUE diskette.  Note that the diskette
                must have been created on the infected system before the
                infection occurred, and that any changes made to the system
                after the creation of the rescue disk, such as a DOS upgrade
                or a repartitioning of the hard drive, will render the rescue
                disk invalid.

	*	From the A: prompt, type RESCUE and then press Enter.
	*	Select Restore and choose both the Boot Record and Partition
                Table Information, and press Enter.

4.	Norton Disk Doctor version 5.0 or higher
	*	Power off the computer, and then boot the system from drive
                A: on an uninfected, write-protected DOS system (bootable)
                diskette which exactly matches the version of DOS installed
                on the hard drive.

	*	Insert a disk with the Norton Disk Doctor, NDD.EXE,
                (version 5.0 or higher).  If you have Norton Desktop for
                Windows version 2.0 or higher, you have the correct version
                of Norton Disk Doctor.

	*	Type NDD C:/REBUILD and press Enter.
	*	Select Diagnose Disk and press Enter.
		Follow the prompts to search for and rebuild partition table
                information.
Notes:
*	If the Monkey virus is detected in memory from a floppy disk boot,
        then the system diskette is also infected.  You must boot your system
        from an uninfected diskette in order to repair the virus.

*	The only way a hard drive can become infected with the Monkey virus
        is through an infected diskette. After you repair the hard drive,
        you must scan all your diskettes for the virus.  If you boot or attempt
        to boot your machine with an infected diskette, you will reinfect the
        hard drive.

*	If Norton AntiVirus cannot repair Monkey on a diskette, it is because
        you do not have Norton AntiVirus 3.0.  If this is the case you can
        always reformat an infected diskette.  It is always wise to have the
        latest version of NAV with the latest definitions.

Virus Library Description Information
Virus Information

Virus Names and Aliases: The most common names by which the virus is known.
Infects:	Defines where the virus attacks or infects
Likelihood:	Options are Common and Rare.
Length:	Length, in bytes, of the virus code.

Characteristics:
Memory Resident:	Stays in memory after it activates.
Size Stealth:	Tries to conceal itself from detection by disguising its size.
Full Stealth:	Tries to conceal itself from detection by disguising its size and attributes.
Triggered Event:	Performs some action based on certain criteria
                (for example a date on the computers system clock).
Encrypting:	Encrypts its code to make detection more difficult.
Polymorphic:	Appears differently in each infected file.
Virus Name:	Monkey
Aliases:	Stoned.Empire.Monkey
Infects:	Floppy and Master Boot Records
Likelihood:	Common
Length:	512 bytes

Characteristics
Memory Resident
Yes
Triggered Event
No

Size Stealth
No
Encrypting
Yes

Full Stealth
Yes
Polymorphic
No


Comments:
The virus encrypts and stores the original MBR.  The original partition
information is overwritten by virus code, thus using FDISK /MBR will leave
the hard drive corrupted.


