-----------------------------------------------------------------------------
 WildList Notes - (c)1995 Joe Wells - c1jwells@watson.ibm - wildlist@aol.com
-----------------------------------------------------------------------------

Virus Name:  Monkey.B

Aliases:     Stoned.Empire.Monkey.B

Infects:     MBR on first hard drive. DOS boot sector on floppy disks.

Disk Size:   1 sector.

Location:    MBR or boot sector. Original MBR is stored at cylinder 0, 
             sector 3, head 0. On floppy disks at cylinder 0, head 1, 
             and the sector depends on the floppy type: sector 3 on 360k, 
             sector 5 on 720k, and sector 14 on 1.2m and 1.44m. The 
             original MBR or boot sector is encrypted by xoring each byte 
             with 2Eh.

Memory Size: The virus reserves 1k of memory by decrementing the available
             memory word at 40:13. On a 640k system the value will be 
             changed from 280h to 27Fh. Chkdsk will report 654336 bytes 
             (639k) of memory free.

Location:    In 1k reserved at top of conventional memory.

Special:     The virus is full stealth and encrypts the original sector.

Effects:     Hard drive invisible to DOS when booted from a clean floppy.

Trigger:     Possibly targets an MBR-based security system (see Notes).

Messages:    [none]

Bugs:        Possibly one, explained in the notes below.

Origin:      The virus appears to be two of the many Stoned.Empire (or 
             Evil Empire) viruses that have each appeared first at the 
             University of Alberta at Edmonton, Alberta, Canada.

Notes:       The virus contains code to detect the characters "Pa" at a 
             specific offset in a target MBR. If found the virus treats 
             sector 2, rather than sector 1, as the MBR. This may be an 
             attempt to bypass an MBR-based security system. If the "Pa" 
             is found, however, the infection fails and the system hangs. 
             This is probably a bug.

             Unlike most MBR infectors, Monkey does not preserve the 
             partition table portion of the MBR. Rather, it overwrites 
             that information. The result is that booting from an 
             uninfected floppy leaves the hard drive inaccessible from DOS 
             (since the partition information is now invalid).

             A remedy (oft-prescribed by some "virus experts") for MBR 
             infectors is to use the DOS utility FDisk with an undocumented
             switch (/mbr) to clean the virus off the hard drive. However,
             FDisk /mbr writes only the first portion of the MBR. It leaves
             the partition information intact. Using FDisk /mbr on a 
             Monkey.B infected hard drive leaves the invalid partition 
             information intact. The hard drive remains inaccessible. 
