W4NMH's Home Page
--------------------------------------------------------------
--------------------------------------------------------------
Question: Where can I get a copy of Killmonk?
Answer:
Killmonk is a program for detecting and removing the Monkey and Int_10
viruses from computers. You can get Killmonk from various ftp sites.
Try:
in the directory The file is called killmnk3.zip. Remember to use binary
mode for the file transfer. You will need pkunzip.exe or WINZip to
Decompress the files.
The archive killmnk3.zip contains four files:
Killmonk.exe - the Monkey virus detection/removal
program.
killmnk3.doc - a text file of instructions.
Monkey.not - a text note about
the Monkey virus.
int_10.not - a text note about
the Int_10 virus.
Please read the instructions file, and the notes about the viruses.
----------------------------
Question: Killmonk says I might have a new variant of Monkey. Can you help?
Answer:
It is highly unlikely you have a new variant of Monkey. Killmonk
returns that message when it finds only part of Monkey, either in memory
or in the first sector of the hard disk. Typically parts of Monkey
might be left in the first sector of the hard disk if you have tried to
remove Monkey using some other software, or if you have installed Microsoft
Windows or disk manager software since the virus infection occurred.
See the section below, on how Monkey and Killmonk work.
----------------------------
Question: Killmonk says there is something wrong with my Master Boot Record, and it cannot clean the virus. What can I do?
Answer:
When Killmonk detects that the Monkey virus is present, it looks in
the virus' hiding place to find the clean master boot record. But
clean boot records can have many different appearances, and other things
might be found in the virus' hiding place. Rather than try to identify
all kinds of valid boot records, Killmonk simply checks whether what it
finds has a valid partition table, and whether the string of bytes found
at offset 03 - 1fh in the virus is the same as that in the found sector.
(They should be the same.) If either of these tests fails, Killmonk
doesn't risk trying to recover your system.
Unfortunately there are now a number of ways these might fail. Killmonk is too strict in its tests for partition table validity. And extended IDE drive controllers, SCSI controllers, Windows '95, and disk manager software such as On Track, can all change the sector the virus hid away, causing Killmonk to fail.
You will have to use some other method to remove the virus and/or recover your partition table. See the sections below on what Monkey does, how Killmonk works, and how to fix things when Killmonk fails.
----------------------------
Question. My computer is infected with Monkey and I can no longer read the hard disk. Have I lost all the data?
No. Monkey has only interfered with the table of information that tells DOS how to find the file system on the hard disk. It is analogous to someone jamming the front door lock on your house. Everything is still in the house, untouched, but you can't get to it in the normal way, at the moment.
Monkey encrypts and moves the "partition table". The partition table tells the operating system where to find your file systems. If the partition table (only 64 bytes of information) is corrupted, DOS will call "drive C:" an "invalid drive specification".
The important thing to realize is that, despite appearances to the contrary, the Unless something else has damaged the file system, all the information is still on the disk, unharmed.
At this point it is important to resist all temptation to reformat the drive: it is a waste of time, and probably won't get rid of the virus anyway. (Just as gutting the house and refurnishing doesn't fix the broken front door lock.)
See the sections below, on what Monkey does, how Killmonk works, and how to fix things when Killmonk fails.
Your file system might be corrupted, of course, but if it is, Monkey didn't do it. Monkey was likely on your system long before the file system got corrupted, and you wouldn't have noticed Monkey except that when the file system got corrupted you started looking for causes and found an unrelated problem, the presence of the Monkey virus.
----------------------------
Question: My computer is infected with Monkey, and I've reformatted the hard disk and the virus is still there. What shall I do?
Answer:
Unfortunately formatting was a waste of time, because now not only
do you have the Monkey virus on your computer, you also threw out all the
information on your hard disk. Welcome to the "Association of Victims
of the Myth of Computer Friendliness".
There are three ways you might still have the virus on your computer after reformatting the hard drive.
First, if you just use the FORMAT command, of course the virus isn't removed, because the virus isn't in partition C:. FORMAT simply puts empty file systems into partitions, while the virus resides outside all partitions, in the Master Boot Record.
Second, if the virus is running while you try to repartition your hard drive, the repartitioning will pretend to work, but won't really. You must have clean system diskettes to boot from, and be sure the BIOS CMOS is set to boot from a diskette in A: if it is present.
Third, and most common, unless you are very careful, it is very easy to reinfect the computer at some point during the whole reformatting process.
If you have already reformatted the drive, but still haven't gotten rid of Monkey, do the following:
1. On a clean computer, run Killmonk and use it to clean all the
diskettes you might use in the following procedure.
Do not use any diskette you are not sure is clean, in any
step below.
2. Find or build (from a clean computer) a clean system diskette.
3. Copy the FDISK, FORMAT, and SYS commands from the same clean computer's DOS directory to the system diskette.
4. Copy Killmonk to that diskette as well.
5. Write protect the diskette.
6. Be sure the BIOS CMOS on the infected computer is set to boot from a diskette in A:, if the diskette is present. Typically you can set this by interrupting the startup process by pressing the DEL key, or some other combination of keys. (Exactly how varies from computer to computer.)
7. Start the infected computer from this diskette.
8. Run Killmonk, to be sure Monkey isn't currently in memory.
If it is in memory, then you failed the above steps, and either your boot
diskette is infected, or the computer's
BIOS is set to not boot
from a diskette. Killmonk should find Monkey, or parts of
Monkey, on your hard disk. If it doesn't, then Monkey isn't there,
and I'm not sure I understand why you are asking for my help.
9. Run FDISK, and repartition the hard drive. If your computer requires a special FDISK program, you must use that instead.
10. Run FDISK /MBR to put the boot program code back into the MBR.
11. Format the new partition.
12. Install DOS. (Did you remember to clean your DOS master disks in step 1?)
13. Reboot from the hard disk.
14. Run Killmonk. If the hard disk is clean, reinstall everything.
15. Run Killmonk, and clean every diskette you can get your hands on.
----------------------------
Question: I have {more than two} hard drives, and Killmonk only cleans the first two. What can I do?
Answer:
Killmonk only looks at the first two hard drives.
If you are good with hardware, you might temporarily remove the second drive, making the third the second, so that Killmonk can find it.
Note that the virus will not be run from second or subsequent hard drives, since only the first drive's Master Boot Record gets run. So if you have a clean first drive, but "parts of Monkey" are found on your second or subsequent drives, and the file systems are accessible on those subsequent drives, then don't worry about it.
If you can't use the file systems on the second or subsequent drives, you must rebuild the "partition table" on those drives. See the sections below on what Monkey does, how Killmonk works, and how to fix things, when Killmonk fails.
----------------------------
Question: Killmonk doesn't work for me. Why not? (A generic version of the above questions)
Answer:
Killmonk can't always work. I have seen several ways in which
it can fail.
a) Be sure you are using Killmonk version 3.0. It can handle more situations than the older versions could.
b) If your computer still starts ok from the hard disk, try running
Killmonk both after starting from the hard disk
and after starting the computer from a "clean system diskette".
Sometimes Killmonk will work the one way but not the other.
By starting from a clean system diskette, I mean turn the computer off, put a clean system diskette in drive A:, and restart the computer, so that it boots from A: rather than from C: If this is still confusing, get help from someone who knows DOS computers.
c) The Monkey virus only "damages" the first sector of the hard disk, which is called the "Master Boot Record", or MBR. This sector has two parts; a "boot program", and the partition table. The table defines how your drive is set up -- it tells the operating system (OS) where to find partition C:, partition D:, etc. If the OS can't read this table, then it assumes your hard drive is not partitioned.
Most MBR viruses only change the program part. This makes them easy to remove. But Monkey also hides the partition table part, making it tricker to fix. If the virus isn't running (for example if you start the computer from a clean system diskette) then you can't access the hard drive files, because only the virus knows how to find and decode the hidden partition table.
People often get their system messed up by fixing the program part but not the partition table. The most common way to do this is with the command "FDISK /MBR". If this has been done on your computer, you now must recover the partition table. A good disk maintenance software package, like PC Tools or Norton Utilities, will have an option for doing this.
Sometimes people fix the partition table but not the boot program. If this is the case, you can tell because a clean startup from a diskette will result in the hard disk being available. If this is the case, and you are using DOS 5.0 or later, you can use the command "FDISK /MBR", which will fix the program part of the MBR.
Note: If you CAN use C: when you boot from a clean diskette, then use "FDISK /MBR". If you CANNOT use C: when you boot from a clean diskette, DO NOT use "FDISK /MBR", unless you are also prepared to rebuild the partition table.
d) Sometimes people have "unusual" computer configurations that make Killmonk not work. Unfortunately what was unusual in 1993 is now commonplace. Things that might make Killmonk not work include 32-bit disk access, disk manager software such as On Track, operating systems other than DOS, for example Windows '95, some extended IDE or SCSI controllers, and other anti-virus packages.
----------------------------
Question: What Does Monkey Do?
Answer:
For a technical answer, see the document MONKEY.NOT, included in the
KILLMNK3.ZIP archive. Here's a less technical answer.
Monkey infects a computer by installing itself in the first sector of the hard disk. This first sector normally holds the "Master Boot Record" (MBR). The MBR has two parts: a boot program, and a partition table.
The boot program of the MBR is the first software to be run, when a computer is started from the hard disk.
The partiton table has the information the operating system needs to
know how the file systems are set up on the hard drive -- where the C:
partition and D: (etc) partitions are located. Normally the partition
table gets read two times. First, it is read by the MBR boot program,
to determine which partition your OS is in. The boot program then
loads the "boot sector" of that partition, which in turn loads the OS program
files. Second, later, when the OS is looking around to see what file systems
are
available, it reads the partition table. This happens whether
you start the computer from the hard disk or from a diskette in drive A:.
Monkey encodes the MBR and moves it to the third sector of the hard disk. (Normally the third sector is unused.)
Monkey ONLY infects a hard disk when an infected diskette is in drive A: during a "restart" of the computer. The restart might be by turning on the power, or by pressing the RESET button, or by pressing CTRL-ALT-DEL. The diskette in drive A: doesn't have to be a system diskette, in fact it can be a "blank" diskette. All it needs to be is a diskette that was used in an infected computer at least once in its history. Any time you see the message "Non system disk or disk error: Replace and press any key to continue ...." if that diskette was infected, the hard disk is now infected as well.
The MBR is the first software to run on a computer, when you start the
computer from a hard disk. This means the virus runs first, before
any DOS programs, before even DOS or any other operating system is loaded.
The virus installs itself in memory, sets itself up to watch all attempts
to read from or write to any disk, and then reads the original MBR from
where it hid it in sector 3, decodes it, and runs it. The MBR then
proceeds to load the operating system in its normal fashion, but with the
virus running in the background, watching all disk access.
While the virus is running, it does three things. 1) If an attempt
is made to "look at" the virus on the disk, that is, an attempt to read
sector one, then the virus shows a decoded copy of sector three.
So a program looking for the virus will see a clean MBR instead.
2) If an attempt is made to write to sector one (thereby overwriting the
virus) no write happens.
3) On any other disk or diskette access, the virus might decide to
infect the disk or diskette being accessed, if it isn't already infected.
On diskettes, the virus infects the first sector, which is called the "boot sector". This is the first software the computer runs if the diskette is left in drive A: when the computer is restarted. The infection cycle is complete.
NOTES:
1. Monkey does not keep a copy of the partition table intact
in sector one. The only way to read the partition table of a
hard drive that is infected with Monkey is by decoding sector three.
If the virus is running, it does this automatically whenever any software
ask for the information in the "traditional" way. Unfortunately,
with accelerated disk controllers and "32-bit Windows access" or OS/2,
the hard disk isn't accessed in the "traditional" way.
2. Monkey DOES NOT damage file systems. It does not write to the file system in any way. If your file system has become corrupted, or files have been erased, something else caused that. The analogy I use is that Monkey is like a vandal damaging the front door lock on a house. The contents of the house are untouched, but until the door lock is fixed, one can't get into the house to see or use the contents.
3. Monkey does not spread via modem, networks, or the Internet. If it is on your hard disk, it got there from a diskette that was in drive A: sometime in the past. Even if you have never used a diskette in drive A: of your computer, the people who set your computer up for you, or last did maintenance on it, likely have.
4. Monkey was first discovered in February 1992 (the beginning of the "Year of the Monkey", and has been reported all over the world. If it has gotten to your corner, I'm not surprised.
----------------------------
Question: How does Killmonk work?
Answer:
If Monkey is running on a computer, it is visible in memory, as long
as a program knows where to look. And if Monkey is not running, then
it is visible on the hard disk. In both cases, Killmonk knows where
to look.
If the virus is currently running, then Killmonk uses the virus' own
tricks to decode the hidden copy of the MBR and rewrite it to sector one.
If the virus isn't currently running, the cleanup steps are even easier.
If the hard disk was cleaned by Killmonk, then Killmonk insists on rebooting the computer. If the hard disk wasn't infected, then Killmonk will give you the option of cleaning diskettes.
Killmonk v. 3.0 also removes a virus related to Monkey, called Int_10, and it has improvements to remove the virus from second hard drives, as well as improvements in its ability to clean up after other programs have messed up the cleanup effort.
----------------------------
Question: What can I do if Killmonk fails?
Answer:
That's a tricky one. The task has two parts: first fix the boot
program part of the Master Boot Record, and second, fix the partition table.
For someone who knows what they are doing, these tasks are not difficult.
But few people know how to do it.
First, make sure you have tried Killmonk from both a clean diskette and from the hard drive -- if you can still boot the computer from the hard drive.
If you live in or near Edmonton, Canada, you could bring your computer to me, and I can remove the virus for you, for a fee. If you can find a technician nearby who is good at handling computer virus problems, you might see if she can help.
Or you might try to do the job yourself. The easiest way to do it yourself is with a combination of "FDISK /MBR" to reinstall the DOS boot program code, and Norton Disk Doctor to rebuild the partition. You will need a clean system diskette, a clean diskette with FDISK.EXE and a diskette with Norton Disk Doctor.
1. Confirm that the CMOS BIOS setting is set for your computer to boot from A: if there is a diskette in A: On most systems, this involves pressing the DEL key while the computer is first starting up, and working your way through a "setup" menu of some kind.
2. Write protect your clean system diskette.
3. Confirm that it is clean. (You can do this by checking it with Killmonk running on a clean computer.)
4. Boot your computer from the clean diskette.
5. Run FDISK /MBR This will put the proper boot code back into the first sector of the hard drive.
6. Run Norton Disk Doctor, and follow the menu steps to rebuild a corrupted partition table.
Tim Martin Spatial Information Systems, University of Alberta
Tim.Martin@UAlberta.CA
Peculiar travel suggestions are dance lessons from God.
-Bokonon
