[comp.virus] Stoned

517259@UOTTAWA.BITNET (Ted Treuil) (05/29/90)

This is just a really quick note for virus trackers...

Stoned is everywhere!  It has been around the campus of the University
of Ottawa, Canada, for quite a while.  The worst part is, it keeps showing up.

On top of this, I know of a few friends who have been infected from sources
other than our campus.  The Stone is still rolling...

padgett%tccslr.dnet@UVS1.orl.mmc.com (A. Padgett Peterson) (06/05/90)

>During the last two months there were several asks how to remove
>the STONED-virus from harddisks. The solution is quite easy :

In previous issues, I have seen a number of postings on the STONED
virus reguarding disinfecting disks. One thing that is often missed is
that three separate methods seem necessary:

a) floppy disks
b) un-partitioned hard disks
c) partitioned hard disks

It is not well documented but on boot up with a partitioned disk there
is executable code in the partition table that tells DOS where to find
the boot record for the first partition and that the STONED is
reported to be able to infect this (I have a copy but have not had the
time to check it out). DEBUG cannot read/modify the partition table so
some of the methods presented thusfar will not necessarily work on
such a disk.

I suspect that the STONED simply replaces the first physical sector (DEBUG
uses logical sectors) and does not care whether it contains the boot sector
or the partition table and stores the original sector in physical sector 7.

               Padgett Peterson

CHESS@YKTVMV.BITNET (David.M.Chess) (06/06/90)

Yep, the Stoned installs itself on the bottommost sector of the
physical disk, which is the place where the partition table lives on a
partitioned hard disk.

>                        DEBUG cannot read/modify the partition table so
> some of the methods presented thusfar will not necessarily work on
> such a disk.

That's only sort of true; the DEBUG "load" command can only
see within the DOS partition, and therefore it can't see the
bottommost sector; but I think people were suggesting using
DEBUG to type in the tiny program needed to do the work.
For instance, if you go into debug and type

a 100
xor ax,ax
int 13
mov ax,0201
mov bx,0200
mov cx,0001
mov dx,0080
int 13
<enter by itself>
g 112
d 200 3ff

you'll be able to see the bottommost sector of the first hard disk,
including the partition table and the master boot code, sitting there
at address 200.  (Only do this if you have some idea of what you're
doing, of course!  The wrong typo in the above could easily make your
hard disk inaccessible.)  Similar tiny programs can read the original
stashed bottommost sector on a Stoned-infected hard disk, and write it
back to where it belongs.  I think that's what some folks were
suggesting...

DC

padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (12/05/90)

OK folks, lets put this hysteria to rest. After all, the internals are
only 512 bytes and it really is not very smart. So far, I have not
seen it cause any destruction to hard disks, it just slides the real
partition table over to sector 7 and plants itself in sector 1. When
booted, it creates a 1k area for itself to go resident at the TOM by
changing location 0:413, and infects any 360k floppy (I'm talking the
Mk 1 version) accessed.

Since the "hidden" sectors of most fixed disks are unused, no damage
is done here, but since floppies use all legal sectors, the STONED
will overwrite the last 512 bytes of the directory table with the real
boot record.  (side 1 cyl 0 sector 3). If a floppy has over 96 files
in the directory table including deleted files, this will overwrite
the last entries and trash a DIR or CHKDSK operation. While the files
are still there and someone good can probably recover them, DOS is in
trouble.

Now what "extra added attractions" hackers have put into the plain
STONED remains to be seen - it would not be difficult to replace the
message mechanism with something else. Similarly, the STONED infects
only by booting from an infected floppy, however a trojan designed to
put the STONED into a partition table would again be a trivial
exercise. (See earlier postings on how to remove it & reverse).

Myself, I am almost as sick of seeing the STONED as the JERUSALEM.

						Padgett

p1@rlyeh.wimsey.bc.ca (Rob Slade) (01/10/91)

jhp@apss.ab.ca (Herb Presley, Emergency Planning Officer) writes:

> I have had a problem with the "Stoned" virus on my 8088 based XT.
> After the virus appeared on Christmas Day, I reformatted (high level)
> the hard drive and reconfigured the partition table using FDISK.

Repartitioning and reformatting is a rather drastic way to deal with
"Stoned".  F-PROT and SCAN will both remove the infection fairly
easily.  However, none of these measures will be effective if the
virus is still resident in memory.  You can repartition all you like,
"Stoned" will just pop right back in to your "clean" system unless you
first boot from a clean source.

Also, did you check your floppy disks?
> Although the message appeared on Christmas Day, the only problem that
>
> I'm not even sure if the problems are related.
>
> Remember that the RAMDRIVE.SYS load worked prior to the appearance of the
> "Stoned" virus.  I didn't change any parameters prior to that time.

I'm not sure they are related either.  You say "Stoned" "appeared" on
Christmas Day: how do you know that?  Are you referring to the "Your
PC is now Stoned" message?  If so, you should know that the infection
could have occured long before that.  The message only appears on "1
in 8" boots, and its appearance is randomly generated.  It might have
been in your system for a long time before you got the message.

I suggest you get a copy of F-PROT and check your system *and* floppy
disks again.  Since you are in Canada, you get antiviral programs and
information from the SUZY Information Service.  Check out the
INtegrity section of the Information Networks.

dave@tygra.ddmi.com (David Conrad) (01/13/91)

Many recent postings have made the point that the Stoned virus
overlays a sector in the FAT, thus causing damage to the file system.
My question, which I *think* I know the answer to is:

Couldn't this sector be restored from the second copy of the FAT?

I believe that the answer is yes, but I would appreciate if those who
study these beasts could confirm this.

- --
David R. Conrad
dave@tygra.ddmi.com
- --
=  CAT-TALK Conferencing Network, Computer Conferencing and File Archive  =
- -  1-313-343-0800, 300/1200/2400/9600 baud, 8/N/1. New users use 'new'    -
=  as a login id.  AVAILABLE VIA PC-PURSUIT!!! (City code "MIDET")        =
   E-MAIL Address: dave@DDMI.COM

XPUM04@prime-a.central-services.umist.ac.uk (Anthony Appleyard) (01/17/91)

In reply to this message in Virus-L vol 4 #11:-
.....................................................................
"Date:    Tue, 15 Jan 91 10:48:25 -0600
From:    ROsman%ASS%SwRI05@D15VS178A.SPACE.SwRI.EDU
Subject: STONED and NON-bootable floppies (PC)
I learned something new about the STONED virus today. One of our users' PCs
was infected by the STONED virus by attempting to boot from a  NON-bootable
diskette   that   was   infected!   All   MS/DOS  diskettes  (bootable  and
non-bootable) have a sector reserved for the boot code (the boot sector). I
was under the  impression  that  the  DOS  boot  code  had  to  be  present
(bootable)  in  order for the STONED virus to move itself to the hard disk.
This was an incorrect assumption."

I understand from several Virus-L recent messages  that  PC  'non-bootable'
floppies  are  actually  bootable,  and  their  boot sectors contain only a
little program that merely prints out "This disk  is  not  bootable".  Thus
Stoned etc can infect them same as any other PC floppy.

{A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Thu, 17 Jan 91 09:03:52 GMT

frisk@rhi.hi.is (Fridrik Skulason) (01/17/91)

dave@tygra.ddmi.com (David Conrad) writes:
>Many recent postings have made the point that the Stoned virus
>overlays a sector in the FAT, thus causing damage to the file system.

The original "Stoned" virus came in two variants. Both infect the
Partition Boot Record - the first physical sector on the hard disk.
The original PBR is stored on head 0, track 0 and either on sector 2
or sector 7.

Those sectors are normally unused, but not always.  In particular, if
the hard disk is small, and formatted under DOS 2.x (even though it
may now contain DOS 3.x), the first track will be in use.

In some cases the DOS boot sector is located in sector 2, and will be
overwritten, but the other variant of the virus may overwrite a part
of the FAT - located at sector 7, which could, indeed, be restored
from the other copy - provided you do the repair right after
infection.

On large hard disk, or disks formatted under DOS 3.x this is not a
problem.

- -frisk

Fridrik Skulason      University of Iceland  |
Technical Editor of the Virus Bulletin (UK)  |  Reserved for future expansion
E-Mail: frisk@rhi.hi.is    Fax: 354-1-28801  |

padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (03/28/91)

>From:    Pat Ralston <IPBR400@INDYCMS.BITNET>
>Subject: Mutation (or not) of Stoned (PC)

>Stoned can be found on floppy disks but not the hard disk.

There appear to be two cases in which the STONED will not infect a
hard disk: one has to do with an internal variable in the virus
(offset 8). The second is if the first four bytes of the master boot
record (absolute sector one) match those of the virus (EA 05 00 C0).
In this case, the virus "thinks" that the disk is already infected. I
have heard of several "vaccines" that perform this function. The
dangerous part is that the virus still goes resident in such a machine
and while it will not infect the fixed disk, it will infect floppies
presented to it. (some variants only 360k, some anything).

At least the STONED is easy to detect/get rid of.

						Padgett
                           (we also walk dogs)

frisk@rhi.hi.is (Fridrik Skulason) (05/22/91)

ccx020@cck.coventry.ac.uk (James Nash) writes:
>How many times have you seen a student
>put their disk in the PC then switch it on? I do it by mistake myself
>sometimes. Whether the author was a great visionary(!) or got lucky
>doesn't matter, he was the first(?) to use the technique.

Not quite the first.  According to the chronological list by Y. Radai,
the first boot sector virus (Brain) was discovered in January '86, and
Yale/Alameda in March '87 - both those viruses spread by the same
method.  Stoned and Ping-Pong were discovered later, in early '88.

- -frisk