70033.1271@CompuServe.COM (Steve Albrecht) (07/27/90)
> From: Yavuz Selim KOMUR <OP@TRAKDEN.BITNET> > Subject: Stoned Virus Clear (PC) > > Hello Virus networker. > We have Stoned virus in PC. How I clear virus it from partion > table. I tried to format hard disk two times, but I couldn't > successfull. Thank for your comments. > > Yavuz. Yavuz, In response to an occurrence of the Stoned virus in India and at our headquarters here in Rhode Island, the following are procedures which we directed our MIS personnel to use to remove the Stoned virus. The Stoned virus (or the New Zealand virus) resides in the partition table (reference: The PC Virus Control Handbook, p. 48, International Security Technology, Inc. p. 48). If an infected floppy diskette is used to boot a machine, the virus will copy itself into the partition table on the hard disk of the computer, regardless of whether or not the floppy diskette is a system diskette or not. If a hard disk is infected with this virus, the partition table of any DOS formatted diskette will be subsequently infected if it is accessed after a normal hard drive boot. The virus sits in the first physical sector on the hard disk and the first physical sector on a floppy disk. The text strings "Your PC is now Stoned" and "LEGALISE MARIJUANA" will reside in the partition table. Use a utility such as NORTON UTILITIES, ADVANCED EDITION, to search for the text strings in Side 0, Cylinder 0, Sector 1 (in Absolute Sector mode) of the hard disk, or a floppy disk. On a floppy disk the first physical sector is also the first logical sector, which is also occupied by the boot track. The partition table and the boot track on a floppy disk are effectively the same thing. On a hard disk, the first physical sector (occupied by the partition table) and the first logical sector (occupied by the boot track) are two very different sectors. Because the virus resides in the first physical sector of a hard disk, DOS FORMAT.COM will not destroy it. FORMAT.COM works on the logical drive, not the physical drive. Furthermore, DOS FDISK.COM will not remove the virus in all cases. I experienced one case where FDISK did overwrite the virus, but two cases where it did not. USE DISK MANAGER TO LOW-LEVEL FORMAT, RE-PARTITION, AND HIGH-LEVEL FORMAT THE HARD DISK. Low-level formatting the hard disk and re- writing the partition table will remove the virus. SPINRITE may be equally effective, but I have not yet tested it. (Note: There may be other equally effective utilities for a low-level format, and for writing a new partition, but these are the tools which our MIS personnel have.) It is also possible to repartition the hard disk with DISK MANAGER, overwriting the partition table and the virus with a new partition table WITHOUT destroying the contents of the hard disk. I have done this only once, and I cannot say that this operation will work in every case or will overwrite the virus in every case, but it is certainly worth a try. However, YOU MUST HAVE a current backup available in case this fails AND YOU MUST BE ABLE to check the partition table after the operation to make certain that the repartitioning alone overwrites the virus. Because the virus resides in the first logical sector on a floppy disk, it is important that you not backup the hard disk with DOS. A DOS backup disk will have a DOS format, meaning that the partition table and boot track are created by DOS. If this format is created from a computer where the hard disk is infected with this virus, the partition table and the boot track on the diskettes will be infected. Thus, if one of these diskettes is used to boot a machine by accident, the partition table on the hard disk will be reinfected. It is unlikely that the partition table on the hard disk will be reinfected by a restore operation alone, but DO NOT TAKE THE CHANCE WITH DOS UNLESS IT IS THE ONLY BACKUP METHOD AVAILABLE. Making a backup with FASTBACK will not create infected diskettes, because FASTBACK does not use a DOS format. Thus, restoring a hard disk backup, created with FASTBACK while the partition table was infected, presents no danger of reinfecting the hard disk. I hope that this has been helpful, and I also welcome comments from others concerning procedures to remove the Stoned virus. Steve Albrecht MIS Field Services PLAN International 70033,1271@compuserve.com
aslakson@uunet.UU.NET (Brian Aslakson) (07/29/90)
70033.1271@CompuServe.COM (Steve Albrecht) writes: >> From: Yavuz Selim KOMUR <OP@TRAKDEN.BITNET> >> We have Stoned virus in PC. How I clear virus it from partion >> table. I tried to format hard disk two times, but I couldn't >> successfull. Thank for your comments. >... >USE DISK MANAGER TO LOW-LEVEL FORMAT, RE-PARTITION, AND HIGH-LEVEL >FORMAT THE HARD DISK. Low-level formatting the hard disk and re- >... WRONG!!!! DON'T do this!! It is unecessarily complicated/roundabout/ unnecessary. The following is what worked for me to disinfect several harddrives and floppys that were infected with the Stoned virus (and some with Jerusalem B): 1. Make backups. The ones I worked on has a complete set up stored on a server, and data files were the users responsibility (made it easier). I like the idea of using Fastback, like Steve mentions. I'd only back up data files, though, and use the original, write protected floppys to put the programs back on. 2. Get SCAN.EXE from an ftp site or get it from McAfee's BBS. (ftp is probably the better choice, hey?) I think that mibsrv.mib.eng.ua.edu and rascal.ics.utexas.edu (134.82.1.1) have the latest version (SCANV64.ZIP, I think). Also get CLEAN.EXE (archived as (I think) CLEANV64.ZIP). Download it to a clean machine (Boot from a clean, write protected system disk, and don't use any executables off the hard drive, only off an original write prote....) At worst, the SCAN program would get infected, but would probably still work. Read the documentation. 3. Read the manual. Use SCAN. 4. Boot from a clean write protected floppy, and use CLEAN.EXE to clean up the infection. (of course, read the manual for it!) 4.5 There are other products out there, I just know and respect SCAN. Check out the ftp site's archives, and get what looks good. Have backups, and read the manual! 5. The way I heard it, sometimes ya lose it. On floppies, if there are subdirectories, you end up with everything in the root dir. If this happens, go back and pretend your drive is brand new, and start fresh. From low-level. 6. I had NO NO NO trouble, and things worked fine after that. 7. I have a buddy who prefers the FPROT set. I don't know it, but whatever works best for you. 8. If you get saved money, (time, hair pulling), it might be worth it to send in a shareware registration to whoever wrote the anti-virus product you use. (I still haven't, but I will, really!). 9. Let me know what happens (especially when you SCAN'd, did you find other viruses?). 10. I have a clone of my own (always clean so far!!), in spite of the signature (I can't afford a Mac). - -- Macintosh related: mac-admin@cs.umn.edu All else: aslakson@cs.umn.edu