Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: CCTR132@csc.canterbury.ac.nz (Nick FitzGerald)
Newsgroups: comp.virus
Subject: Re: Stoned and Dark Avenger mutations (PC)
Message-ID: <0003.9104181717.AA10026@ubu.cert.sei.cmu.edu>
Date: 18 Apr 91 00:18:00 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 28
Approved: krvw@sei.cmu.edu

In VIRUS-L V4 #64 Raul Fernando Weber <WEBER@SBU.UFRGS.ANRS.BR> wrote:

>Three slightly different versions of the Stoned virus were detected
>during the last months in Porto Alegre (Southern Brazil).

>The first version contains the string "Your PC is now Stoned!  <bell>
><cr> <lf> <lf> <null> LEGALISE MARIJUANA!". In the second version this
>string now reads "Your PC is now Stoned! <bell> <cr> <lf> <lf> <null>
>LEGALISEm disk or d". Curiously, the last part of the modified string
>seems to be derived from the original boot sector, where the string
>"Non-System disk or disk error" can be found at the same offset. I
>wonder if this can happen due to a failure at the propagation routine?

This is not uncommon with Stoned.  I have seen exactly the same string
Raul mentions.  Stoned sometimes doesn't seem to replicate this last
part of itself correctly - I have seen several other variations on the
last part of the "Legalise" message getting munged.  As was mentioned
a week or two ago, on HD systems this can be due to the HD controller
writing up to 17 bytes to the MBR, immediately before the partition
table's reserved area, thus partially overwriting the "Legalise"
message on Stoned HD's.

This has no real significance for the virus as it never attempts to do
anything with this "message" except replicate it.

- ---------------------------------------------------------------------------
 Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
 Internet: n.fitzgerald@csc.canterbury.ac.nz        Phone: (64)(3) 642-337