Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!elroy.jpl.nasa.gov!usc!julius.cs.uiuc.edu!psuvax1!rutgers!bagate!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: CCTR132@csc.canterbury.ac.nz (Nick FitzGerald) Newsgroups: comp.virus Subject: STONED again (Was Re: How safe are FTP sites from viruses? (PC)) Message-ID: <0003.9012051525.AA15332@ubu.cert.sei.cmu.edu> Date: 30 Nov 90 09:45:00 GMT Sender: Virus Discussion List Lines: 75 Approved: krvw@sei.cmu.edu In Virus-L V3 #190 Patrick Ryan wrote: I am getting a little impatient with the rapidly proliferating mythinformation about STONED in this list, so please excuse the tone of this posting. >maven@rata.vuw.ac.nz (Jim Baltaxe) writes: > >> Just a reminder that the Stoned virus is a boot sector invader >> and executes only when a machine is booted from an infected disk. >> Simply running _any_ program whether FTP'd or not will not result >> in activating this virus. Therefore, there must have been another > >Are you SURE? I would disagree... the lab in our building has Stoned >infections occurring very frequently, and not all of them are due to >people booting from infected disks. If that WERE the case, how would >it spread to a floppy from hard drive? **ARE YOU SURE??** If so then you must have a new variant of STONED, and it's a miracle that your virus scanners find it because most of them *ONLY* look in the boot sector for STONED, because **STONED IS A __BOOT SECTOR__ INFECTOR**. (I seriously doubt that the code fragment/s the scanners search for would remain unchanged in such a mutant, but it is possible.) Attempting to boot off **ANY** Stoned-infected disk will install STONED. The infected disk **DOES __NOT__** have to be a system disk. REPEAT: Attempting to boot off **ANY** Stoned-infected disk will install STONED. In answer to Patrick's question re spreading from HD to floppy: When executed (at bootup), STONED reserves 2K at top of memeory, takes over the BIOS interrupt 13H vector, checks if clock ticks mod 8 is zero (and if booting from floppy?) and outputs "Your PC is now Stoned!" if so, checks for hard disk to infect (if booting from floppy), then loads and executes the original master boot record (which it hid somewhere relatively safe when the disk was first infected.) (At this point bootup will fail if you have an infected non-system disk in A:, but the virus will remain active if you insert a system disk in A: or open the drive door and allow bootup to proceed from your HD.) Any subsequent calls to INT 13H, requesting READ or WRITE functions, result in the viral code being activated first. The virus then checks the disk in A: for a STONED infection, if a non-infected disk is found the virus infects that disk, then returns control to the original INT 13H code. This means that doing a DIR on a clean floppy in an infected machine will result in the disk being infected. The important thing about STONED (and probably most other boot sector infectors) is that re/booting with *ANY* infected disk in A: (doing the three fingered salute while you have a data disk in A: - who hasn't done this??) will result in the virus going resident. If you have a non-infected HD it will normally be infected at this point. When people say they booted off a clean HD, but now have a virus, if it is a boot sector infector you can bet your life savings that they had a floppy in A: with the door closed. What they mean is that the system *loaded* off the HD - they *booted* off A:. Now for some speculation: It is conceivable that a trojan could be written to spread the STONED (or any other) virus. At execution, apart from doing whatever the prog was supposed to do, it would have to do what the virus it harboured does when infecting/installing itself. I have neither seen nor heard of such a beast, but it is possible that executables could spread virii that *by themselves* only spread through boot sector mechanisms. Readers who aren't already aware may be interested to know that Jim Baltaxe was one of the people at Victoria University involved in diagnosing and identifying the STONED virus. - --------------------------------------------------------------------------- Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337 Brought to you by Super Global Mega Corp .com