Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!ucsd!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) Newsgroups: comp.virus Subject: Stoned (PC) Message-ID: <0005.9012041357.AA13652@ubu.cert.sei.cmu.edu> Date: 5 Dec 90 12:41:17 GMT Sender: Virus Discussion List Lines: 27 Approved: krvw@sei.cmu.edu OK folks, lets put this hysteria to rest. After all, the internals are only 512 bytes and it really is not very smart. So far, I have not seen it cause any destruction to hard disks, it just slides the real partition table over to sector 7 and plants itself in sector 1. When booted, it creates a 1k area for itself to go resident at the TOM by changing location 0:413, and infects any 360k floppy (I'm talking the Mk 1 version) accessed. Since the "hidden" sectors of most fixed disks are unused, no damage is done here, but since floppies use all legal sectors, the STONED will overwrite the last 512 bytes of the directory table with the real boot record. (side 1 cyl 0 sector 3). If a floppy has over 96 files in the directory table including deleted files, this will overwrite the last entries and trash a DIR or CHKDSK operation. While the files are still there and someone good can probably recover them, DOS is in trouble. Now what "extra added attractions" hackers have put into the plain STONED remains to be seen - it would not be difficult to replace the message mechanism with something else. Similarly, the STONED infects only by booting from an infected floppy, however a trojan designed to put the STONED into a partition table would again be a trivial exercise. (See earlier postings on how to remove it & reverse). Myself, I am almost as sick of seeing the STONED as the JERUSALEM. Padgett Brought to you by Super Global Mega Corp .com