AGUTOWS@WAYNEST1.BITNET (Arthur Gutowski) (01/11/91)
Just got off the phone with a friend of mine in Kansas City, MO. He
has been infected with the Stoned virus (don't know which variant).
He apparently contracted the infection from a borrowed copy of
Ontrack's Disk Manager. The diskette was obtained from the Computer
Resale Center in Kansas City. He has not booted up with any other
diskettes in quite some time, so he strongly suspects the Disk Manager
diskette. Fortunately for him, he had already cleaned off the drive
and was preparing to low-level format the hard drive anyway. He will
start with a cold boot from a clean diskette before proceeding (don't
want to spread the beast any further).
He has contacted the vendor and alerted them to the problem. As
always, there are no guarantees, but it would seem that the Ontrack
diskette caused the infection.
Disclaimer: This was meant for information only. It was not intended to nail
anyone to the wall (except for the ******* that wrote the virus
to begin with!!)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"The problem with the future is that it keeps turning into the present."
-Hobbes
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
_ /| Arthur J. Gutowski, System Programmer
\'o.O' MVS & Antiviral Group / WSU University Computing Center
=(___)= Bitnet: AGUTOWS@WAYNEST1 Internet: AGUTOWS@WAYNEST1.BITNET
U PH: (313) 577-0718 *or* AGUTOWS@cms.cc.wayne.edu
Bill sez "Ackphtth"jhp@apss.ab.ca (Herb Presley, Emergency Planning Officer) (01/16/91)
AGUTOWS@WAYNEST1.BITNET (Arthur Gutowski) writes: > Just got off the phone with a friend of mine in Kansas City, MO. He > has been infected with the Stoned virus (don't know which variant). My 8088 based PC became infected with the [Stoned] virus on Christmas Day. At least that is when its "gotcha" message first appeared. > He apparently contracted the infection from a borrowed copy of > Ontrack's Disk Manager. The diskette was obtained from the Computer > Resale Center in Kansas City. He has not booted up with any other > diskettes in quite some time, so he strongly suspects the Disk Manager > diskette. Fortunately for him, he had already cleaned off the drive > and was preparing to low-level format the hard drive anyway. He will > start with a cold boot from a clean diskette before proceeding (don't > want to spread the beast any further). I used the DOS FDISK and FORMAT programs and unfortunately that didn't solve the problem either. When I ran a McAfee's SCAN program, it detected the virus still on the system. However, the only problem that was manifesting itself was the inability to load RAMDRIVE on bootup. The error message - RAMDRIVE:Insufficient memory kept appearing. In the end I never did find out where the infection came from. Several floppies were also infected, but that could have been as a result of interaction with the hard drive when copying files, etc. Finally, I took the following steps and that seemed to get rid of it: 1. I opened the boot sector/partition table of the hard disk with NORTON UTILITIES and overwrote the entire disk area with a value of "0" manually. 2. I used the NORTON INTEGRATOR WIPEDISK program to wipe the hard disk three times with a value of "0". 3. I then re-partitioned the hard disk and reformatted with DOS FORMAT /v/s. 4. I have created a SAFE BOOT disk by copying my original system files (DOS 3.3) onto a floppy and write protected it. I placed an AUTOEXEC.BAT file on it that restricts the path to SET PATH=A:\ I use it when I am running a floppy for the first time or of questionable origin by rebooting the computer with SAFE BOOT and running the McAfee SCAN program from drive "B:" (I have two floppy drives). If I find a floppy with a virus (particularly [Stoned]) on it, I open it's boot sector with write protected NORTON UTILITIES disks, overwrite it with a value of "0", copy each individual file over to a scanned and clean floppy, and format the infected floppy. Then I scan the second floppy to ensure that the virus didn't transfer in the file copying and perform DISKCOPY to restore the original floppy. So far this method seems to have kept my hard drive virus free. 5. This is a poor man's way of virus protection. Very cumbersome, but I do not want to have to go through an emergency backup of the hard disk again! Hope this helps. Good luck to your friend. ______________________________________________________________________________ DISCLAIMER: Any views expressed here are mine alone and do not represent those of this organization email : jhp@apss.ab.ca (...UUCP!alberta!aunro!apss!....) mail : 10320 - 146 St., Edmonton, Alberta, Canada T5N 3A2 phone : (403) 451-7151