a-28.ciac-stoned-virus
97f713fc7d17e96cc4b8991da448eca46811bb5aaf2589c30ef7463f05ac1b33
________________________________________________________________________
THE COMPUTER INCIDENT ADVISORY CAPABILITY
CIAC
INFORMATION BULLETIN
________________________________________________________________________
The Stoned (Marijuana or New Zealand) Virus on MS DOS Computers
July 12, 1990, 1200 PST Number A-28
________________________________________________________________________
Name: Stoned virus (also known as the Marijuana or New Zealand virus)
Types: At least four known variants
Platform: MS DOS computers
Damage: Not deliberately destructive--however, this virus overwrites
some of boot sector/master boot record on infected disks (see text)
Symptoms: May write "Your computer is now stoned. Legalize marijuana"
or similar message on screen (one variant has this message removed);
may create hard disk errors or the inability to boot
Detection: VIRALERT, VIRHUNT, RESSCAN, CodeSafe, F-PROT, IBM Scan
Eradication: VIRHUNT, RESSCAN, CodeSafe, CleanUp, F-PROT and others
(contact CIAC for information about these products)
Critical Stoned Virus Facts
_______________________________________________________________________
The Stoned (Marijuana or New Zealand) virus is now one of the most
common viruses among MS-DOS systems. The Stoned virus infects the boot
sector/master boot record of floppy and hard disks. Once resident in
memory, this virus may display a message similar to the following:
Your computer is now stoned. Legalize marijuana.
Although the Stoned virus apparently was not programmed to do damage,
this virus can nevertheless damage a system. The Stoned virus may
overwrite parts of infected disks that contain directory information or
portions of user data files, specifically the boot sector of floppy
disks along with Head 0, Track 0, Sector 3 on a diskette or the master
boot record and Head 0, Track 0, Sector 7 on hard disks. If hard disks
have last been partitioned under DOS 2, this virus overwrites portions
of the File Allocation Table (FAT) as well. The result is overwriting
of data files and indications of disk errors by CHKDSK. Variants of
the Stoned virus produce slightly different effects:
Stoned-B: infection of the hard disk's partition table,
Stoned-C: no displayed message
Stoned-D: infection of high density diskettes
You can detect the Stoned virus with a variety of scan packages such as
VIRALERT, VIRHUNT, RESSCAN, CodeSafe, F-PROT, IBM Scan. You can
eradicate this virus by using packages such as VIRHUNT, RESSCAN,
CodeSafe, CleanUp, F-PROT. If you cannot obtain a virus removal
utility, we suggest you back up your applications and data from your
hard disk, and then low-level format the disk to ensure that the master
boot record is removed. Boot from a clean, writeprotected operating
system disk, restore your system, and then restore the application and
data files.
After you have cleaned your system, either with an eradication product
or by formating the drive, scan again using a virus detection utility
to ensure that the virus is not present. To ensure that your system
does not immediately become re-infected, be sure to scan all of floppy
disks for the virus as well. To clean floppies you may use one of the
suggested products, or you may format new floppies on a clean system,
then use the "copy" command to copy files from the infected floppies to
the clean ones. Format the infected floppies to reuse them.
The Stoned virus typically spreads wherever floppy disks are shared.
Infections can be easily prevented by adopting sound protection
procedures. The Stoned virus infects hard disks when a PC is booted
from an infected floppy. This virus does not infect applications,
however. If you must boot from a floppy disk, ensure with a virus scan
package that this disk is not infected, and write-protect this disk.
This will prevent your boot disk from becoming infected. (Warning:
under some circumstances the Stoned-infected floppy disk can infect a
machine even if the computer does not have a bootable operating system
on it.)
Additional Note: Basic information about the Stoned virus has been
available through the CIAC Bulletin Board (FELIX) and CIAC Bulletin
A-15 since the beginning of this year.
For additional information or assistance, please contact CIAC:
David S. Brown
(415) 423-9878 or (FTS) 543-9878
FAX: (415) 423-0913, (FTS) 543-0913 or (415) 422-4294
Send e-mail to:
ciac@tiger.llnl.gov
The assistance of Ken Van Wyk and Dave Chess is gratefully
acknowledged. Neither the United States Government nor the University
of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility
for the accuracy, completeness, or usefulness of any information,
product, or process disclosed, or represents that its use would not
infringe privately owned rights. Reference herein to any specific
commercial products, process, or service by trade name, trademark
manufacturer, or otherwise, does not necessarily constitute or imply
its endorsement, recommendation, or favoring by the United States
Government or the University of California. The views and opinions of
authors expressed herein do not necessarily state or reflect those of
the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.