WEBER@SBU.UFRGS.ANRS.BR (Raul Fernando Weber) (04/16/91)
Three slightly different versions of the Stoned virus were detected during the last months in Porto Alegre (Southern Brazil). The first version contains the string "Your PC is now Stoned! <bell> <cr> <lf> <lf> <null> LEGALISE MARIJUANA!". In the second version this string now reads "Your PC is now Stoned! <bell> <cr> <lf> <lf> <null> LEGALISEm disk or d". Curiously, the last part of the modified string seems to be derived from the original boot sector, where the string "Non-System disk or disk error" can be found at the same offset. I wonder if this can happen due to a failure at the propagation routine? The third version is quite different, and was first detected in a city near Porto Alegre. The string now reads "Collor, um tiro basta! <cr> <lf> <lf> Call John MacAFee? <space> <cr> <lf>". The first line is in Portuguese and means "Collor, one shoot is enough!", a protest against the economic plan of President Collor. There is another modification, however, probably to protect this mutation against virus scanners. Beginning at the offset 63, four bytes were changed from BE 04 00 57 to 57 BE 04 00. With this change, SCAN and CLEAN cannot detect the virus anymore. The program F-BOOT from the FPROT114 package, however, is still able to detect and remove the virus (Good work, Frisk!). Another virus that also appeared in the last weeks was Dark Avenger. The string "Eddie lives...somewhere in time!" can be detected at the beginning of the virus body, but the final string was modified to "This virus was created in Singapore (C) Copyright 1990-91 Data Maniac". Both SCAN/CLEAN and F-FCHK (from FPROT114) are able to detect and eliminate this virus. Raul F. Weber Institute of Informatic Federal University of Rio Grande do Sul Porto Alegre - RS Brazil e-mail: weber@sbu.ufrgs.anrs.br or weber%sbu.ufrgs.anrs.br@lbl.gov
CCTR132@csc.canterbury.ac.nz (Nick FitzGerald) (04/18/91)
In VIRUS-L V4 #64 Raul Fernando Weber <WEBER@SBU.UFRGS.ANRS.BR> wrote: >Three slightly different versions of the Stoned virus were detected >during the last months in Porto Alegre (Southern Brazil). >The first version contains the string "Your PC is now Stoned! <bell> ><cr> <lf> <lf> <null> LEGALISE MARIJUANA!". In the second version this >string now reads "Your PC is now Stoned! <bell> <cr> <lf> <lf> <null> >LEGALISEm disk or d". Curiously, the last part of the modified string >seems to be derived from the original boot sector, where the string >"Non-System disk or disk error" can be found at the same offset. I >wonder if this can happen due to a failure at the propagation routine? This is not uncommon with Stoned. I have seen exactly the same string Raul mentions. Stoned sometimes doesn't seem to replicate this last part of itself correctly - I have seen several other variations on the last part of the "Legalise" message getting munged. As was mentioned a week or two ago, on HD systems this can be due to the HD controller writing up to 17 bytes to the MBR, immediately before the partition table's reserved area, thus partially overwriting the "Legalise" message on Stoned HD's. This has no real significance for the virus as it never attempts to do anything with this "message" except replicate it. - --------------------------------------------------------------------------- Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337