McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• 1991 Boot

• Donald Duck

• Hawaii

• Marijuana

• NewZealand

• Rostov

• SanDiego

• Smithsonian

• StonedII

• StonedMutation

Characteristics

The original Stoned virus infected 360KB 5.25" diskettes and did not cause any damage. The original diskette-only infector is now considered extinct. However there are over 90 variants based on the original Stoned virus. All known variants are capable of infecting the hard disk Master Boot Record (MBR) and some may damage directories or the File Allocation Table (FAT) as well. Most variants are only modified slightly from the original and many of these modifications are only in the message that is displayed.

Upon infection, the virus will become memory resident at the top of system memory. The interrupt 12 return is moved. The virus will also infect the hard disk Master Boot Record at this time.

Once Stoned is memory resident, it will infect diskettes as they are accessed on the system. When Stoned infects a diskette, it moves the original Boot Sector (sector 0) to sector 11. The Stoned virus then copies itself into Sector 0. Since sector 11 is normally part of the diskette root directory on 360K 5.25" diskettes, any files which had their directory entries located in this sector will be lost. Some versions of DOS have sector 11as part of the FAT, which may also result in the disk's FAT being corrupted.

When Stoned infects the system's hard disk, it copies the original Master Boot Record to Side 0, Cylinder 0, Sector 7. A copy of the Stoned virus is placed at Side 0, Cylinder 0, Sector 1, the original location of the Master Boot Record. If the hard disk was formatted with software which starts the boot sector, FAT, or disk directory on Side 0, Cylinder 0 immediately following the Master Boot Record, the hard disk may also be corrupt.

Additional Comments:
The Stoned virus was first reported in Wellington, New Zealand in early 1988. The original virus only infected 360KB 5-1/4" diskettes, doing no overt damage. The original diskette-only infector is extinct, however, and all known variants of this virus are capable of infecting the hard disk master boot sector (partition table) as well as may damage directory or FAT information. Most variants of this virus have only minor modifications, usually in what the message is that the virus may display on boot. When a computer system is booted with a Stoned infected disk, this virus will install itself memory resident at the top of system memory. The interrupt 12 return will be moved, and ChkDsk will indicate that the computer system as 2K less total memory than what is installed. If the system boot was from a diskette, the virus will also attempt to infect the hard disk master boot sector, if it was not previously infected. During the boot process, the Stoned virus may display a message. The message is displayed more or less on a random basis. The most common text for the message is: "Your computer is now stoned." Or: "Your PC is now Stoned!" After Stoned is memory resident, it will infect diskettes as they are accessed on the system. When Stoned infects a diskette, it moves the original boot sector (sector 0) to sector 11. The Stoned virus then copies itself into sector 0. Since sector 11 is normally part of the diskette root directory on 360K 5.25" diskettes, any files which had their directory entries located in this sector will be lost. Some versions of DOS have sector 11 as part of the File Allocation Table, which may also result in the disk's FAT being corrupted. When Stoned infects that system hard disk, it copies the hard disk's original master boot sector to side 0, cyl 0, sector 7. A copy of the Stoned virus is then placed at side 0, cyl 0, sector 1, the original location of the hard disk master boot sector. If the hard disk was formatted with software which starts the boot sector, file allocation table, or disk directory on side 0, cyl 0 right after the master boot sector, the hard disk may be corrupted as well. In order to disinfect a system infected with the Stoned virus, the system must be powered off and booted with an uninfected, write- protected boot diskette. If this is no

Symptoms

During the boot process, the Stoned virus randomly displays a message:

"Your computer is now stoned."

Or

"Your PC is now Stoned!"

Total system memory decreases by 2000 bytes.

Method of Infection

The only way to infect a computer with an MBR/Boot Sector infector is to attempt to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred. Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

Removal

Windows 95/98:
Note for Windows 9x systems - during the boot process a Windows95 created boot disk will access the hard drive for information. Because of this an image of the virus may be in memory but not active.

To remove the virus, follow the following steps:
- If you use the McAfee emergency disk, hit F8 at the starting Windows 95 message, and select Step-by-step Configuration. Say yes to everything except processing the autoexec.bat file.
- At the a:, type
BOOTSCAN C: /BOOT /CLEAN /NOMEM

Windows NT/2000:
Shut down the PC and turn the power off. Obtain or create a virus free boot disk and scan disk. After booting, at the A:\ prompt, execute the following command:
BOOTSCAN C: /boot /clean

Once the virus has been removed, remove all floppy diskettes from the computer and reboot from the hard drive.

This will also clean an NTFS Master Boot Record and allow Windows NT to successfully reboot from the hard disk drive. VirusScan for DOS will not be able to read the rest of the NTFS partition. After starting Windows, execute VirusScan or NetShield to detect and clean Windows NT file infections which may exist.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• 1991 Boot

• Donald Duck

• Hawaii

• Marijuana

• NewZealand

• Rostov

• SanDiego

• Smithsonian

• StonedII

• StonedMutation

Characteristics

Characteristics -

The original Stoned virus infected 360KB 5.25" diskettes and did not cause any damage. The original diskette-only infector is now considered extinct. However there are over 90 variants based on the original Stoned virus. All known variants are capable of infecting the hard disk Master Boot Record (MBR) and some may damage directories or the File Allocation Table (FAT) as well. Most variants are only modified slightly from the original and many of these modifications are only in the message that is displayed.

Upon infection, the virus will become memory resident at the top of system memory. The interrupt 12 return is moved. The virus will also infect the hard disk Master Boot Record at this time.

Once Stoned is memory resident, it will infect diskettes as they are accessed on the system. When Stoned infects a diskette, it moves the original Boot Sector (sector 0) to sector 11. The Stoned virus then copies itself into Sector 0. Since sector 11 is normally part of the diskette root directory on 360K 5.25" diskettes, any files which had their directory entries located in this sector will be lost. Some versions of DOS have sector 11as part of the FAT, which may also result in the disk's FAT being corrupted.

When Stoned infects the system's hard disk, it copies the original Master Boot Record to Side 0, Cylinder 0, Sector 7. A copy of the Stoned virus is placed at Side 0, Cylinder 0, Sector 1, the original location of the Master Boot Record. If the hard disk was formatted with software which starts the boot sector, FAT, or disk directory on Side 0, Cylinder 0 immediately following the Master Boot Record, the hard disk may also be corrupt.

Additional Comments:
The Stoned virus was first reported in Wellington, New Zealand in early 1988. The original virus only infected 360KB 5-1/4" diskettes, doing no overt damage. The original diskette-only infector is extinct, however, and all known variants of this virus are capable of infecting the hard disk master boot sector (partition table) as well as may damage directory or FAT information. Most variants of this virus have only minor modifications, usually in what the message is that the virus may display on boot. When a computer system is booted with a Stoned infected disk, this virus will install itself memory resident at the top of system memory. The interrupt 12 return will be moved, and ChkDsk will indicate that the computer system as 2K less total memory than what is installed. If the system boot was from a diskette, the virus will also attempt to infect the hard disk master boot sector, if it was not previously infected. During the boot process, the Stoned virus may display a message. The message is displayed more or less on a random basis. The most common text for the message is: "Your computer is now stoned." Or: "Your PC is now Stoned!" After Stoned is memory resident, it will infect diskettes as they are accessed on the system. When Stoned infects a diskette, it moves the original boot sector (sector 0) to sector 11. The Stoned virus then copies itself into sector 0. Since sector 11 is normally part of the diskette root directory on 360K 5.25" diskettes, any files which had their directory entries located in this sector will be lost. Some versions of DOS have sector 11 as part of the File Allocation Table, which may also result in the disk's FAT being corrupted. When Stoned infects that system hard disk, it copies the hard disk's original master boot sector to side 0, cyl 0, sector 7. A copy of the Stoned virus is then placed at side 0, cyl 0, sector 1, the original location of the hard disk master boot sector. If the hard disk was formatted with software which starts the boot sector, file allocation table, or disk directory on side 0, cyl 0 right after the master boot sector, the hard disk may be corrupted as well. In order to disinfect a system infected with the Stoned virus, the system must be powered off and booted with an uninfected, write- protected boot diskette. If this is no

Symptoms

Symptoms -

During the boot process, the Stoned virus randomly displays a message:

"Your computer is now stoned."

Or

"Your PC is now Stoned!"

Total system memory decreases by 2000 bytes.

Method of Infection

Method of Infection -

The only way to infect a computer with an MBR/Boot Sector infector is to attempt to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred. Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

Removal -

Removal -

Windows 95/98:
Note for Windows 9x systems - during the boot process a Windows95 created boot disk will access the hard drive for information. Because of this an image of the virus may be in memory but not active.

To remove the virus, follow the following steps:
- If you use the McAfee emergency disk, hit F8 at the starting Windows 95 message, and select Step-by-step Configuration. Say yes to everything except processing the autoexec.bat file.
- At the a:, type
BOOTSCAN C: /BOOT /CLEAN /NOMEM

Windows NT/2000:
Shut down the PC and turn the power off. Obtain or create a virus free boot disk and scan disk. After booting, at the A:\ prompt, execute the following command:
BOOTSCAN C: /boot /clean

Once the virus has been removed, remove all floppy diskettes from the computer and reboot from the hard drive.

This will also clean an NTFS Master Boot Record and allow Windows NT to successfully reboot from the hard disk drive. VirusScan for DOS will not be able to read the rest of the NTFS partition. After starting Windows, execute VirusScan or NetShield to detect and clean Windows NT file infections which may exist.

Variants

Variants -

N/A