Path: utzoo!attcan!uunet!cs.utexas.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: 70033.1271@CompuServe.COM (Steve Albrecht) Newsgroups: comp.virus Subject: Removal of Stoned Virus (PC) Message-ID: <0006.9007271529.AA28148@ubu.cert.sei.cmu.edu> Date: 27 Jul 90 12:44:46 GMT Sender: Virus Discussion List Lines: 97 Approved: krvw@sei.cmu.edu > From: Yavuz Selim KOMUR > Subject: Stoned Virus Clear (PC) > > Hello Virus networker. > We have Stoned virus in PC. How I clear virus it from partion > table. I tried to format hard disk two times, but I couldn't > successfull. Thank for your comments. > > Yavuz. Yavuz, In response to an occurrence of the Stoned virus in India and at our headquarters here in Rhode Island, the following are procedures which we directed our MIS personnel to use to remove the Stoned virus. The Stoned virus (or the New Zealand virus) resides in the partition table (reference: The PC Virus Control Handbook, p. 48, International Security Technology, Inc. p. 48). If an infected floppy diskette is used to boot a machine, the virus will copy itself into the partition table on the hard disk of the computer, regardless of whether or not the floppy diskette is a system diskette or not. If a hard disk is infected with this virus, the partition table of any DOS formatted diskette will be subsequently infected if it is accessed after a normal hard drive boot. The virus sits in the first physical sector on the hard disk and the first physical sector on a floppy disk. The text strings "Your PC is now Stoned" and "LEGALISE MARIJUANA" will reside in the partition table. Use a utility such as NORTON UTILITIES, ADVANCED EDITION, to search for the text strings in Side 0, Cylinder 0, Sector 1 (in Absolute Sector mode) of the hard disk, or a floppy disk. On a floppy disk the first physical sector is also the first logical sector, which is also occupied by the boot track. The partition table and the boot track on a floppy disk are effectively the same thing. On a hard disk, the first physical sector (occupied by the partition table) and the first logical sector (occupied by the boot track) are two very different sectors. Because the virus resides in the first physical sector of a hard disk, DOS FORMAT.COM will not destroy it. FORMAT.COM works on the logical drive, not the physical drive. Furthermore, DOS FDISK.COM will not remove the virus in all cases. I experienced one case where FDISK did overwrite the virus, but two cases where it did not. USE DISK MANAGER TO LOW-LEVEL FORMAT, RE-PARTITION, AND HIGH-LEVEL FORMAT THE HARD DISK. Low-level formatting the hard disk and re- writing the partition table will remove the virus. SPINRITE may be equally effective, but I have not yet tested it. (Note: There may be other equally effective utilities for a low-level format, and for writing a new partition, but these are the tools which our MIS personnel have.) It is also possible to repartition the hard disk with DISK MANAGER, overwriting the partition table and the virus with a new partition table WITHOUT destroying the contents of the hard disk. I have done this only once, and I cannot say that this operation will work in every case or will overwrite the virus in every case, but it is certainly worth a try. However, YOU MUST HAVE a current backup available in case this fails AND YOU MUST BE ABLE to check the partition table after the operation to make certain that the repartitioning alone overwrites the virus. Because the virus resides in the first logical sector on a floppy disk, it is important that you not backup the hard disk with DOS. A DOS backup disk will have a DOS format, meaning that the partition table and boot track are created by DOS. If this format is created from a computer where the hard disk is infected with this virus, the partition table and the boot track on the diskettes will be infected. Thus, if one of these diskettes is used to boot a machine by accident, the partition table on the hard disk will be reinfected. It is unlikely that the partition table on the hard disk will be reinfected by a restore operation alone, but DO NOT TAKE THE CHANCE WITH DOS UNLESS IT IS THE ONLY BACKUP METHOD AVAILABLE. Making a backup with FASTBACK will not create infected diskettes, because FASTBACK does not use a DOS format. Thus, restoring a hard disk backup, created with FASTBACK while the partition table was infected, presents no danger of reinfecting the hard disk. I hope that this has been helpful, and I also welcome comments from others concerning procedures to remove the Stoned virus. Steve Albrecht MIS Field Services PLAN International 70033,1271@compuserve.com