Xref: utzoo comp.sys.ibm.pc.misc:4103 alt.folklore.computers:7392 Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!zaphod.mps.ohio-state.edu!magnus.ircc.ohio-state.edu!news From: smsmith@hpuxa.ircc.ohio-state.edu (Stephen M. Smith) Newsgroups: comp.sys.ibm.pc.misc,alt.folklore.computers Subject: Re: STONED virus (I got STONED too!...all about STONED) Message-ID: <1990Nov27.220707.2712@magnus.ircc.ohio-state.edu> Date: 27 Nov 90 22:07:07 GMT References: <1990Nov27.141833.18847@mailer.cc.fsu.edu> Sender: news@magnus.ircc.ohio-state.edu Distribution: na Organization: The Ohio State University (IRCC) Lines: 118 Nntp-Posting-Host: hpuxa.ircc.ohio-state.edu In article <1990Nov27.141833.18847@mailer.cc.fsu.edu> svihla@evax0.eng.fsu.edu writes: > > Our department recently discovered the >STONED virus on six of our computers. We were able to detect it and remove >it with no apparent damage to our system. Is STONED usually this benign or >were we just lucky? As I understand it, STONED can only propagate from a >floppy to a hard drive if a boot is initiated while an infected floppy is in >the A: drive. Is STONED unable to propagate in this manner from a B: drive? >How about from a Zenith PC, which are usually set to default boot from the >hard drive - will STONED only propagate if you initiate a floppy boot via the >Monitor program with a defective floppy in the A:drive? Lastly, we found >STONED on many of our floppy disks - how does STONED transfer from the hard >disk to a floppy? Does this only occur when you format a floppy disk on an >infected machine? Does the presence of the STONED virus on a floppy disk >imperil the information stored on it in any way, or does the floppy just act >as a vector for the STONED virus? Thanks in advance for any responses. Ah, yesssssss....the STONED virus. About 6 months ago I learned all about the STONED virus the hard way!!! The whole ordeal also was my first real hacking experience... This is what the STONED virus does according to my observations: It takes the info from the boot sector of a floppy disk (sector number one), transfers it in whole to sector number eleven, then overwrites sector one with near identical data but with a nice message saying "YOUR PC HAS JUST BEEN STONED. LEGALIZE MARIJUANA!" (or something like that). That's how it got its name--the "STONED" virus. It *is* a very benign virus and it is easy to remove if you have the right utilities. I'll explain that below. The STONED virus is really sneaky. If a computer has been affected, all you have to do to get it on your floppy is to place it in the drive and do a simple "dir" on the floppy, and....voila!! Instant virus on your floppy! No warning, no write command, no copy command-- just a simple read command will do it. It even suppresses the "disk is write-protected" message if it can't write on your disk. Swift, clean, and insidious... It infected about 10 of my disks. (I think I'll cross-post this to alt.folklore.computers for the following hilarious story...) There I was trying to get a new word processor to work in a particular video setting. I had about a dozen new disks I was using--the real expensive Verbatim teflon-coated preformatted factory fresh kind. I had spent several days on this computer (in a computer lab) and had *just* finished arranging all the files exactly the way I wanted them when I noticed that one of the file's names had been changed. The new name isn't printable here because it included a bunch of non-ASCII characters. So of course I couldn't simply "ren" the file because I couldn't enter those characters, and that also meant I couldn't delete it. And then in trying to get this solved another file or two did the same thing. "Stupid machine; the floppy must be making mistakes on me," I thought. So I formatted the disk, recopied files for the millionth time, and it went away. Temporarily... Fortunately I had a virus scanning program with me. After an hour or so of frustration I decided I might as well run the scan (not expecting anything to happen of course). Lo and behold, the scan came up with a virus on my diskette. "Where did I get this?" I checked another disk..."Wow, there it is again." About 6 or 7 disks later I realized it was on every disk I was putting in the machine. Not only that, but when I formatted a disk that was infected it *still* came up with the virus on it. "Ah hah! I'll do a virus scan on an *uninfected* disk.... "What?!!! On this disk too!!! And it was straight out of the box-- preformatted at that! THERE'S A VIRUS AT VERBATIM--I BETTER CALL THEM QUICK! Boy, I can't imagine how many tens of thousands of virus-infected disks they must be shipping out!" So I rushed to the phone and dialed their 1-800 number and... they were closed. It was Friday night and they wouldn't be open again till Monday. Lucky for me, too! Well, I don't know what finally clued me in to the situation here. I found out that if I put a *write-protected* new disk in the drive and did a scan it came up clean, but if it was not write- protected it was infected. Conclusion: The computer was writing the virus on every disk that I scanned for the virus. As I said above: Insidious. I now realize that the reason the file names were getting screwed up was that by writing over sector 11 the virus was messing around with the FAT (File Allocation Table). How to got rid of it: Put in an uninfected disk with a write-protection on it. Use a sector reading/writing utility and copy sector 11 into memory then remove the disk. Put in infected unprotected disk and write the info from memory onto the infected disk's sector 11. Repeat the process with sector 1. This is all from memory, so I hope that sector 11 is correct. Just look at it and see if the boot info has been placed there. In order to clear it off the hard disk you will need a virus remover. Simply deleting all the files and recopying them back may not work because they tried that on my computer and it was still there, though I think the reason for that is they booted from the hard drive rather than the floppy before they erased the disk and did the recopying. Good luck. S. "Stevie" Smith \ + / ,,@ ircc.ohio-state. \ + / {7%*@,..":27g)-=,#*:.#,/6&1*.4-,l@#9:-) " edu> \ + / BTW, WYSInaWYG \ + / --witty.saying.ARC