Xref: utzoo comp.sys.ibm.pc.misc:4107 alt.folklore.computers:7398 Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!know!sdd.hp.com!elroy.jpl.nasa.gov!ncar!boulder!seri!wind55!marshall From: marshall@wind55.seri.gov (Marshall L. Buhl) Newsgroups: comp.sys.ibm.pc.misc,alt.folklore.computers Subject: Re: STONED virus (I got STONED too!...all about STONED) Message-ID: Date: 27 Nov 90 23:37:39 GMT References: <1990Nov27.141833.18847@mailer.cc.fsu.edu> <1990Nov27.220707.2712@magnus.ircc.ohio-state.edu> Sender: news@seri.gov (news) Distribution: na Organization: Solar Energy Research Institute Lines: 101 smsmith@hpuxa.ircc.ohio-state.edu (Stephen M. Smith) writes: [Story about an experience with "Stoned" deleted] >In order to clear it off the hard disk you will need a virus >remover. Simply deleting all the files and recopying them back >may not work because they tried that on my computer and it was >still there, though I think the reason for that is they booted >from the hard drive rather than the floppy before they erased >the disk and did the recopying. I got hit a couple of months ago. You can recover a hard disk without software, but it's a pain. I had two infected disks. One was a 150MB drive with about 100MB of data on it. The other was a 300MB drive with 280MB of data on it. I backed up all the files on the small system to tape. Did a "low-level" format of the drive, ran FDISK, then reFORMATted the drive for DOS. I then restored the tapes. This took forever. Being paranoid (well not really - people really were after me :-), I make two backups and verified both. I also verified the restore. This took me most of a very frustrating day. When I realized how long it would take to repair the big disk, I got really depressed. I called some associates who are in the computer security business and they recommended I contact Digital Dispatch about their VirHunt package. I called them up (800-221-8091) and they said their program could remove the virus. I quickly filled out a PR, got signatures and begged my purchasing agent to call them up with a PO number. A few minutes later, I called them up. They gave me the number of their PC and I dialed in and we used Crosstalk to get the program into my PC. Fifteen minutes later, I had removed the virus from the big system. This happened within about an hour of even hearing that DDI even existed. Talk about mood swings. I went from the deepest depression to the highest high I've ever experienced. This made manic depression look like childs play. I was literally bouncing up and down with tears running down my face. I'll be forever in debt to DDI for them saving my ass. I'll probably fondly remember them on my deathbed. Anyway, I highly recommend the product ($50). I had a copy of McAfee's SCAN program that someone sent me to try out. When I suspected a problem, I tried SCAN and it found the virus, but wouldn't do anything to remove it. I like VirHunt much better. I've gotten rid of SCAN - it just doesn't compete. No computer support jock should live without it. Sermon mode on... OK folks. Whoever you are that created this cute little virus. You think it's "harmless." Well sure, it didn't destroy any data. But it did cost me more than two day's work. One wasted repairing the first hard disk and another checking every disk we have. Do you have any idea how long it takes (and how incredibly boring it is) to check dozens of hard disks and thousands of floppies? Talk about tedium. All I can say is you better not brag about writing a virus within earshot of me. You won't last the night. Sermon mode off. It turns out one of my users had been computing around with his home PC and brought the infection into work. Damn slut! It then spread to my secretary's disk where I found it. She had been having problems for a while and the symptoms reminded me of the Disk Killer virus (a really nasty one I hear). I was actually looking for Disk Killer when I found Stoned. Turns out she was having problems with conflicts between Crosstalk XVI and DOS 4.01. We really lucked out finding Stoned this way. A few days later and the infection could have spread throughout the institute. Instead of having to check a few dozen PCs, it would have been hundreds of hard disks and tens of thousands of floppies. Whew! To the original poster: I think having a PC that won't boot off of drive A: would help protect you from this virus. Many people leave a floppy in the drive when they turn their PC off at night and turn it on in the morning. I also may boot a PC many times when setting one up. I don't always remember to unlatch the floppy. That's how you get it. When you boot off an infected floppy, it leaves a little TSR in memory. That TSR looks for floppy accesses and infects floppies when they are not write protected. Every time you boot from an infected hard disk or floppy, the TSR gets loaded and is ready for action. Even if your infected floppy isn't bootable, it will infect your system when it tries to boot off it. You will get the non-system disk message when you do this as you would from a normal data disk. Personally, I feel that a PC should boot from a floppy only when you tell it to do so. It should not be the default. Maybe you BIOS manufacturers (if that's who's responsible) can take a hint. Give us a break guys. -- Marshall L. Buhl, Jr. EMAIL: marshall@seri.gov Senior Computer Missionary VOICE: (303)231-1014 Wind Research Branch 1617 Cole Blvd., Golden, CO 80401-3393 Solar Energy Research Institute Solar - safe energy for a healthy future