[RC5] Re: rc5-digest V1 #167

Joe Zbiciak j-zbiciak1 at ti.com
Mon Mar 16 16:05:56 EST 1998


'Dave Ladd' said previously:
| 
| Bad advice.  Don't use the command until you know it
| will wipe out the virus and nothing else.
| 
| If your system is infected with an self encrypting
| virus you will screw up your partition table.  You need
| to use the virus innoculation options provided in your
| virus software.  Or fdisk and start over.

The Monkey virus is known for this behavior.  It is a "Stealth Virus"
which copies your MBR/Partition Table to a different area of the 
hard drive and "encrypts" it.  (Really, it just XORs with a constant,
but that's sufficient to make it obscured.)  

When you boot with Monkey present, it hooks all drive accesses so that
reads/writes to the MBR appear to show the real, uninfected MBR, but in
actuality, the MBR on the drive has the Monkey virus in it.  I imagine
utilities and OSes which bypass DOS/BIOS services to access the disk
would see an inconsistent MBR and complain of a problem, but would also
be powerless to fix the problem.

There are programs on the net for cleaning Monkey (eg. "KillMonk" comes
to mind) and related virii from your computer.  I would first boot from
a clean, write-protected floppy which has your favorite DOS-based
Anti-Virus software on it first and have it give its opinion of your
hard drive before you proceed with drastic measures such as FDISK.

Regards,

--Joe

-- 
 +----------- Joseph Zbiciak ----------+
 | - - - -  j-zbiciak1 at ti.com  - - - - |       Ignorance is the
 |- http://www.primenet.com/~im14u2c/ -|       Mother of Devotion.
 | - - -Texas Instruments, Dallas- - - |          -- Robert Burton
 +-----#include "std_disclaimer.h"-----+
--
To unsubscribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
rc5-digest subscribers replace rc5 with rc5-digest



More information about the rc5 mailing list