CCTR132@csc.canterbury.ac.nz (Nick FitzGerald) (11/30/90)
In Virus-L V3 #190 Patrick Ryan <sauron@stretch.cs.mun.ca> wrote: I am getting a little impatient with the rapidly proliferating mythinformation about STONED in this list, so please excuse the tone of this posting. >maven@rata.vuw.ac.nz (Jim Baltaxe) writes: > >> Just a reminder that the Stoned virus is a boot sector invader >> and executes only when a machine is booted from an infected disk. >> Simply running _any_ program whether FTP'd or not will not result >> in activating this virus. Therefore, there must have been another > >Are you SURE? I would disagree... the lab in our building has Stoned >infections occurring very frequently, and not all of them are due to >people booting from infected disks. If that WERE the case, how would >it spread to a floppy from hard drive? **ARE YOU SURE??** If so then you must have a new variant of STONED, and it's a miracle that your virus scanners find it because most of them *ONLY* look in the boot sector for STONED, because **STONED IS A __BOOT SECTOR__ INFECTOR**. (I seriously doubt that the code fragment/s the scanners search for would remain unchanged in such a mutant, but it is possible.) Attempting to boot off **ANY** Stoned-infected disk will install STONED. The infected disk **DOES __NOT__** have to be a system disk. REPEAT: Attempting to boot off **ANY** Stoned-infected disk will install STONED. In answer to Patrick's question re spreading from HD to floppy: When executed (at bootup), STONED reserves 2K at top of memeory, takes over the BIOS interrupt 13H vector, checks if clock ticks mod 8 is zero (and if booting from floppy?) and outputs "Your PC is now Stoned!" if so, checks for hard disk to infect (if booting from floppy), then loads and executes the original master boot record (which it hid somewhere relatively safe when the disk was first infected.) (At this point bootup will fail if you have an infected non-system disk in A:, but the virus will remain active if you insert a system disk in A: or open the drive door and allow bootup to proceed from your HD.) Any subsequent calls to INT 13H, requesting READ or WRITE functions, result in the viral code being activated first. The virus then checks the disk in A: for a STONED infection, if a non-infected disk is found the virus infects that disk, then returns control to the original INT 13H code. This means that doing a DIR on a clean floppy in an infected machine will result in the disk being infected. The important thing about STONED (and probably most other boot sector infectors) is that re/booting with *ANY* infected disk in A: (doing the three fingered salute while you have a data disk in A: - who hasn't done this??) will result in the virus going resident. If you have a non-infected HD it will normally be infected at this point. When people say they booted off a clean HD, but now have a virus, if it is a boot sector infector you can bet your life savings that they had a floppy in A: with the door closed. What they mean is that the system *loaded* off the HD - they *booted* off A:. Now for some speculation: It is conceivable that a trojan could be written to spread the STONED (or any other) virus. At execution, apart from doing whatever the prog was supposed to do, it would have to do what the virus it harboured does when infecting/installing itself. I have neither seen nor heard of such a beast, but it is possible that executables could spread virii that *by themselves* only spread through boot sector mechanisms. Readers who aren't already aware may be interested to know that Jim Baltaxe was one of the people at Victoria University involved in diagnosing and identifying the STONED virus. - --------------------------------------------------------------------------- Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337
KAMRAN@Vax2.Concordia.CA (Kamran Farahi) (03/06/91)
Hi, One of our faculty members has been hit twice with this nasty virus. On both occasions, he had installed F- DRIVERS on the hard disk, the partition table was gone so he could not reboot from the hard disk. As a result he had to do a low level format. My question is , how is it possible that the F-DRIVER did not protect the hard disk?. Although , the warning message was given by the DRIVER on both occasions. We lost everything because of the low-level format, do we have to go through this each time we get infected or is there a way to recover the data? Thanks.
p1@arkham.wimsey.bc.ca (Rob Slade) (03/09/91)
KAMRAN@Vax2.Concordia.CA (Kamran Farahi) writes: > On both occasions, he had installed F- DRIVERS on the hard disk, the > partition table was gone so he could not reboot from the hard disk. As > a result he had to do a low level format. My question is , how is it One despairs, one really does. When F-DRIVER.SYS is installed, it will detect the presence of the "Stoned" virus and lock up the system. This does not mean that your computer is ruined. I assume it is intended to *force* you to deal with the problem. The solution is simple. Boot from a clean floppy. Run F-DISINF and "cure" the hard disk. Reboot the computer normally. Simple. And effective. There was no need to reformat the disk. As to "prevention" of infection by a boot sector virus, that is not so simple. If you stick an infected disk into the A: drive and boot up, you are going to be infected before *anything* can come into play. The only solutions involve specialized boot ROMs, cards or mechanical disabling of the A: drive. ============== Vancouver p1@arkham.wimsey.bc.ca | "It says 'Hit any Institute for Robert_Slade@mtsg.sfu.ca | key to continue.' Research into (SUZY) INtegrity | I can't find the User Canada V7K 2G6 | 'Any' key on my Security | keyboard."
frisk@rhi.hi.is (Fridrik Skulason) (03/13/91)
KAMRAN@Vax2.Concordia.CA (Kamran Farahi) writes: >My question is , how is it >possible that the F-DRIVER did not protect the hard disk?. Although , >the warning message was given by the DRIVER on both occasions. No drivers, TSR programs etc, can prevent you from being infected by a boot sector virus, like the 'Stoned' for a simple reason - the virus is executed and gets a chance to infect the hard disk before it can be intercepted by any other program. You need some special hardware to prevent this. The best any normal program can do is detecting the infection, displaying a warning message and halting the computer, just like F-DRIVER did. >We lost everything because of the low-level format, do we have to go >through this each time we get infected or is there a way to recover >the data? You never need to low-level format a disk infected by 'Stoned', to get rid of the virus. If the virus manages to infect the hard disk successfully, you should be able to remove it by booting from a 'clean' system disk and running a disinfector program. If that fails, use NU (or a similar program) to zero out the partition table, and then use NDD to generate a new one. - -frisk
VANTENT@HROEUR5.BITNET (03/19/91)
In a message of <13 Mar 91 08:57:12> Fridrik Skulason wrote: > You never need to low-level format a disk infected by 'Stoned', > to get rid of the virus. If the virus manages to infect the hard > disk successfully, you should be able to remove it by booting from > a 'clean' system disk and running a disinfector program. I thought so too, but lately got into trouble with some Olivetti M24 pc's ... a [Stoned] infection immediately resulted in some subdirs full of illegal file entries, lost clusters, and crosslinks. The same thing happened again within a day after low-level formatting the system, when another user didn't think it necessary to check his disk or even removing it while rebooting. So I'm pretty sure it's the Stoned infection that's causing the FAT and/or DIR problems, it may be because of a non-standard FDISK that comes with Olivetti's MS-DOS 3.2. Anyhow, it helps to have a backup :-) Jan van 't Ent, Apparatuurbeheer (microcomputer support & maint dept) ERASMUS VANTENT@HROEUR5.bitnet UNIVERSITEIT telefoon +31 10 4081337 jvte@cs.eur.nl usenet ROTTERDAM telefax +31 10 4081372
padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) (04/27/91)
>From: "Chris Wagner" <STCW@NMUMUS.BITNET> >Subject: Initial Virus Protection (PC) >Right now, cost is a real factor due to a limited budget. >I get the impression that the only way to be sure we don't have a >virus is to periodically scan our disks with the latest scanning >software we can find. >From: John Councill <JXA5@MARISTB.BITNET> >Subject: TSR Virus Detector (PC) >Can anyone reading this recommend a reliable program that will sit in >memory and warn against writes to .EXE and .COM files, as well as >other suspicious virus-like activity without degrading performance of >the machine too much? On the PC, a virus must be executed to have any effect & there are three ways for this to occur: cold boot from floppy, warm boot from floppy, user request. The last two can be controlled by software (e.g. McAfee V-Shield), the first only with hardware (but can be detected immediately by software). Full system scanning is only necessary if an infection is suspected and the extent is to be determined. Once malicious software is present on a system, it can hide in many ways, the key is to detect such activity before it becomes resident. I am constantly surprised that, considering the simplicity of the PC architecture, more schools have not developed their own protection software rather than relying on outsiders, certainly it is more difficult to write a functional operating system, something most CS schools require. How about an annual intermural anti-virus competition - anyone interested ?