[comp.virus] Stoned Again

CCTR132@csc.canterbury.ac.nz (Nick FitzGerald) (11/30/90)

In Virus-L V3 #190 Patrick Ryan <sauron@stretch.cs.mun.ca> wrote:

I am getting a little impatient with the rapidly proliferating
mythinformation about STONED in this list, so please excuse the tone
of this posting.

>maven@rata.vuw.ac.nz (Jim Baltaxe) writes:
>
>>     Just a reminder that the Stoned virus is a boot sector invader
>>     and executes only when a machine is booted from an infected disk.
>>     Simply running _any_ program whether FTP'd or not will not result
>>     in activating this virus. Therefore, there must have been another
>
>Are you SURE?  I would disagree... the lab in our building has Stoned
>infections occurring very frequently, and not all of them are due to
>people booting from infected disks.  If that WERE the case, how would
>it spread to a floppy from hard drive?

**ARE YOU SURE??** If so then you must have a new variant of STONED,
and it's a miracle that your virus scanners find it because most of
them *ONLY* look in the boot sector for STONED, because **STONED IS A
__BOOT SECTOR__ INFECTOR**.  (I seriously doubt that the code
fragment/s the scanners search for would remain unchanged in such a
mutant, but it is possible.)

Attempting to boot off **ANY** Stoned-infected disk will install STONED.  The
infected disk **DOES __NOT__** have to be a system disk.

REPEAT:
Attempting to boot off **ANY** Stoned-infected disk will install STONED.

In answer to Patrick's question re spreading from HD to floppy:

When executed (at bootup), STONED reserves 2K at top of memeory, takes
over the BIOS interrupt 13H vector, checks if clock ticks mod 8 is
zero (and if booting from floppy?) and outputs "Your PC is now
Stoned!" if so, checks for hard disk to infect (if booting from
floppy), then loads and executes the original master boot record
(which it hid somewhere relatively safe when the disk was first
infected.)  (At this point bootup will fail if you have an infected
non-system disk in A:, but the virus will remain active if you insert
a system disk in A: or open the drive door and allow bootup to proceed
from your HD.)  Any subsequent calls to INT 13H, requesting READ or
WRITE functions, result in the viral code being activated first.  The
virus then checks the disk in A: for a STONED infection, if a
non-infected disk is found the virus infects that disk, then returns
control to the original INT 13H code.  This means that doing a DIR on
a clean floppy in an infected machine will result in the disk being
infected.

The important thing about STONED (and probably most other boot sector
infectors) is that re/booting with *ANY* infected disk in A: (doing
the three fingered salute while you have a data disk in A: - who
hasn't done this??)  will result in the virus going resident.  If you
have a non-infected HD it will normally be infected at this point.
When people say they booted off a clean HD, but now have a virus, if
it is a boot sector infector you can bet your life savings that they
had a floppy in A: with the door closed.  What they mean is that the
system *loaded* off the HD - they *booted* off A:.

Now for some speculation: It is conceivable that a trojan could be
written to spread the STONED (or any other) virus.  At execution,
apart from doing whatever the prog was supposed to do, it would have
to do what the virus it harboured does when infecting/installing
itself.  I have neither seen nor heard of such a beast, but it is
possible that executables could spread virii that *by themselves* only
spread through boot sector mechanisms.

Readers who aren't already aware may be interested to know that Jim
Baltaxe was one of the people at Victoria University involved in
diagnosing and identifying the STONED virus.

- ---------------------------------------------------------------------------
 Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
 Internet: n.fitzgerald@csc.canterbury.ac.nz        Phone: (64)(3) 642-337

KAMRAN@Vax2.Concordia.CA (Kamran Farahi) (03/06/91)

Hi,

One of our faculty members has been hit twice with this nasty virus.
On both occasions, he had installed F- DRIVERS on the hard disk, the
partition table was gone so he could not reboot from the hard disk. As
a result he had to do a low level format. My question is , how is it
possible that the F-DRIVER did not protect the hard disk?. Although ,
the warning message was given by the DRIVER on both occasions.

We lost everything because of the low-level format, do we have to go
through this each time we get infected or is there a way to recover
the data?

Thanks.

p1@arkham.wimsey.bc.ca (Rob Slade) (03/09/91)

KAMRAN@Vax2.Concordia.CA (Kamran Farahi) writes:

> On both occasions, he had installed F- DRIVERS on the hard disk, the
> partition table was gone so he could not reboot from the hard disk. As
> a result he had to do a low level format. My question is , how is it

One despairs, one really does.

When F-DRIVER.SYS is installed, it will detect the presence of the
"Stoned" virus and lock up the system.  This does not mean that your
computer is ruined.  I assume it is intended to *force* you to deal
with the problem.

The solution is simple.  Boot from a clean floppy.  Run F-DISINF and
"cure" the hard disk.  Reboot the computer normally.  Simple.  And
effective.

There was no need to reformat the disk.

As to "prevention" of infection by a boot sector virus, that is not so
simple.  If you stick an infected disk into the A: drive and boot up,
you are going to be infected before *anything* can come into play.
The only solutions involve specialized boot ROMs, cards or mechanical
disabling of the A: drive.

==============
Vancouver          p1@arkham.wimsey.bc.ca   | "It says 'Hit any
Institute for      Robert_Slade@mtsg.sfu.ca | key to continue.'
Research into      (SUZY) INtegrity         | I can't find the
User               Canada V7K 2G6           | 'Any' key on my
Security                                    | keyboard."

frisk@rhi.hi.is (Fridrik Skulason) (03/13/91)

KAMRAN@Vax2.Concordia.CA (Kamran Farahi) writes:

>My question is , how is it
>possible that the F-DRIVER did not protect the hard disk?. Although ,
>the warning message was given by the DRIVER on both occasions.

No drivers, TSR programs etc, can prevent you from being infected by a
boot sector virus, like the 'Stoned' for a simple reason - the virus
is executed and gets a chance to infect the hard disk before it can be
intercepted by any other program.  You need some special hardware to
prevent this.  The best any normal program can do is detecting the
infection, displaying a warning message and halting the computer, just
like F-DRIVER did.

>We lost everything because of the low-level format, do we have to go
>through this each time we get infected or is there a way to recover
>the data?

You never need to low-level format a disk infected by 'Stoned', to get
rid of the virus.  If the virus manages to infect the hard disk
successfully, you should be able to remove it by booting from a
'clean' system disk and running a disinfector program.

If that fails, use NU (or a similar program) to zero out the partition
table, and then use NDD to generate a new one.

- -frisk

VANTENT@HROEUR5.BITNET (03/19/91)

In a message of <13 Mar 91 08:57:12> Fridrik Skulason wrote:
 > You never need to low-level format a disk infected by 'Stoned',
 > to get rid of the virus.  If the virus manages to infect the hard
 > disk successfully, you should be able to remove it by booting from
 > a 'clean' system disk and running a disinfector program.

I thought so too, but lately got into trouble with some Olivetti M24
pc's ... a [Stoned] infection immediately resulted in some subdirs
full of illegal file entries, lost clusters, and crosslinks.

The same thing happened again within a day after low-level formatting
the system, when another user didn't think it necessary to check his
disk or even removing it while rebooting. So I'm pretty sure it's the
Stoned infection that's causing the FAT and/or DIR problems, it may be
because of a non-standard FDISK that comes with Olivetti's MS-DOS 3.2.

Anyhow, it helps to have a backup :-)

Jan van 't Ent, Apparatuurbeheer (microcomputer support & maint dept)
                           ERASMUS
VANTENT@HROEUR5.bitnet   UNIVERSITEIT   telefoon +31 10 4081337
jvte@cs.eur.nl  usenet    ROTTERDAM     telefax  +31 10 4081372

padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) (04/27/91)

>From:    "Chris Wagner" <STCW@NMUMUS.BITNET>
>Subject: Initial Virus Protection (PC)
>Right now, cost is a real factor due to a limited budget.
>I get the impression that the only way to be sure we don't have a
>virus is to periodically scan our disks with the latest scanning
>software we can find.

>From:    John Councill <JXA5@MARISTB.BITNET>
>Subject: TSR Virus Detector (PC)
>Can anyone reading this recommend a reliable program that will sit in
>memory and warn against writes to .EXE and .COM files, as well as
>other suspicious virus-like activity without degrading performance of
>the machine too much?

On the PC, a virus must be executed to have any effect & there are
three ways for this to occur: cold boot from floppy, warm boot from
floppy, user request. The last two can be controlled by software (e.g.
McAfee V-Shield), the first only with hardware (but can be detected
immediately by software).  Full system scanning is only necessary if
an infection is suspected and the extent is to be determined.

Once malicious software is present on a system, it can hide in many
ways, the key is to detect such activity before it becomes resident.

I am constantly surprised that, considering the simplicity of the PC
architecture, more schools have not developed their own protection
software rather than relying on outsiders, certainly it is more
difficult to write a functional operating system, something most CS
schools require.

How about an annual intermural anti-virus competition - anyone
interested ?