Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: frisk@rhi.hi.is (Fridrik Skulason)
Newsgroups: comp.virus
Subject: Re: Stoned (PC)
Message-ID: <0006.9101181512.AA09075@ubu.cert.sei.cmu.edu>
Date: 17 Jan 91 10:09:35 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 27
Approved: krvw@sei.cmu.edu

dave@tygra.ddmi.com (David Conrad) writes:
>Many recent postings have made the point that the Stoned virus
>overlays a sector in the FAT, thus causing damage to the file system.

The original "Stoned" virus came in two variants. Both infect the
Partition Boot Record - the first physical sector on the hard disk.
The original PBR is stored on head 0, track 0 and either on sector 2
or sector 7.

Those sectors are normally unused, but not always.  In particular, if
the hard disk is small, and formatted under DOS 2.x (even though it
may now contain DOS 3.x), the first track will be in use.

In some cases the DOS boot sector is located in sector 2, and will be
overwritten, but the other variant of the virus may overwrite a part
of the FAT - located at sector 7, which could, indeed, be restored
from the other copy - provided you do the repair right after
infection.

On large hard disk, or disks formatted under DOS 3.x this is not a
problem.

- -frisk

Fridrik Skulason      University of Iceland  |
Technical Editor of the Virus Bulletin (UK)  |  Reserved for future expansion
E-Mail: frisk@rhi.hi.is    Fax: 354-1-28801  |