Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!cs.utexas.edu!usc!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: padgett%tccslr.dnet@UVS1.orl.mmc.com (A. Padgett Peterson)
Newsgroups: comp.virus
Subject: Stoned (PC)
Message-ID: <0004.9006061301.AA19134@ubu.cert.sei.cmu.edu>
Date: 5 Jun 90 14:44:06 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1.BITNET>
Lines: 24
Approved: krvw@sei.cmu.edu

>During the last two months there were several asks how to remove
>the STONED-virus from harddisks. The solution is quite easy :

In previous issues, I have seen a number of postings on the STONED
virus reguarding disinfecting disks. One thing that is often missed is
that three separate methods seem necessary:

a) floppy disks
b) un-partitioned hard disks
c) partitioned hard disks

It is not well documented but on boot up with a partitioned disk there
is executable code in the partition table that tells DOS where to find
the boot record for the first partition and that the STONED is
reported to be able to infect this (I have a copy but have not had the
time to check it out). DEBUG cannot read/modify the partition table so
some of the methods presented thusfar will not necessarily work on
such a disk.

I suspect that the STONED simply replaces the first physical sector (DEBUG
uses logical sectors) and does not care whether it contains the boot sector
or the partition table and stores the original sector in physical sector 7.

               Padgett Peterson