cctr132@csc.canterbury.ac.nz (01/26/91)
In article <4808@vela.acs.oakland.edu>, w8sdz@vela.acs.oakland.edu (Keith Petersen) writes: > lev@suned1.UUCP (Lloyd E Vancil) writes: >>Recieved today from my organization; >>"investigation revealed a message in the boot sector which stated "Your PC is >>stoned." Virus detection software confirmed the presence of the "Stone" virus. >>Further investigation revealed it's presence on other PCs in the area with >>damage to at least one hard disk drive. A share ware program, which produces >>SF-171s, appears to be the source of this virus." > > You did not say where your organization obtained this program. It > should be pointed out here that this file: > > Directory PD1:<MSDOS.FORMGEN> > Filename Type Length Date Description > ============================================== > SF171.ARC B 113920 870718 Federal Employment Form generator > > on SIMTEL20 is *not* infected. I checked it with the latest version > of McAfee's SCANV. Thanks Keith, and a word of re-assurance to anyone else who has the program: STONED is the most common virus in NZ (where it originated) and as such is the one I deal with most often. Whilst also common elsewhere, there is much mis-information about it, so please read the following. STONED is *very* unlikely to be spread other than by booting a PC from an infected disk/ette. It is a boot sector infector *ONLY* and as such does not infect executable files, and therefore cannot be spread by executing an application. This has been discussed ad nauseum in comp.virus, and whilst it is generally accepted there that it would be easy to write a trojan that implants STONED into a system *as if* it had been exposed to STONED in the normal way, *no-one* has reliably reported such an instance. The only other way you could get STONED from down-loaded software would be in a disk-image from an infected disk, and again there are no confirmed reports of this occuring that I am aware of. Unfortunately SCAN will not (currently) pick up STONED should its code have been included in a trojan implanting program, because SCAN "knows" that STONED is a boot sector infector, so only checks disk boot sectors and partition tables for the virus. From the above I hope that you are somewhat re-assured of the safety of the SF171 program. I've mailed Lloyd separately on this, and he was only passing on what he had been told by the "systems people" at his site - pity *they* didn't get things straight before blowing the whistle. --------------------------------------------------------------------------- Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337