Stoned
Stoned
Type Boot sector virus
Creator
Date Discovered 1988.02
Place of Origin Wellington, New Zealand
Source Language Assembly
Platform DOS
Infection Length 512 bytes
Reported Costs

Stoned is a large family of boot sector viruses dating from early in 1988. Prominent members of this family include the infamous Michelangelo virus, that caused a great deal of panic in the early 1990's, and the Angelina virus from 1994 that reappeared in 2007 on infected laptops.

Behavior

When the computer boots from an infected disk, the Stoned virus becomes resident in the memory. If it is booting from a disk other than the hard drive, it will check the hard drive's Master Boot Record and infect it if it is clean. Upon infecting a floppy disk, Stoned moves the Master Boot Record to sector 11 and places itself in sector 0. Upon infecting the hard drive, it moves the Master Boot Record to side 0, cyl 0, sector 7 and places itself in side 0, cyl 0, sector 1. It only infects 360 kilobyte 5.25 inch floppies and hard drives.

Once in memory, the virus will infect the Master Boot Records of any diskette accessed. It cannot reinfect the hard drive. Even if the virus is removed from the Master Boot Record while it is in the memory, it will not attempt to reinfect the hard drive.

There is a 1 in 8 chance that upon booting, Stoned will deliver its payload, causing the infected computer will beep and display its message:

Your PC is now stoned! LEGALIZE MARIJUANA!

The virus does not intentionally damage anything, but when the virus moves the original boot sector to sector 11 on 5.25 inch floppy disks, any files with directory entries on that sector will be lost. Some versions of DOS use sector 11 as part of the File Allocation Table, which can cause the disk's FAT being corrupted.

Origin

The Stoned virus was supposedly programmed by a student at the University of Wellington in New Zealand. Its existence supposedly goes back as far as 1987, but the earliest date that can be found on it from anything official is 1988 February.

After the virus made a few prominent appearances in Australia, accusations were made against the New Zealand Defense Department alleging it created the virus. Among the motives suggested that the New Zealand military felt slighted for having been excluded from the Kangaroo 89 military exercises in Northern Australia. The Department spokesman denied the accusations and said it would be "totally irresponsible" for a military organisation to release a virus.

Variants

The Stoned virus became very popular and many variants of the virus appeared, some of them becoming very prominent. Michelangelo is often considered a variant of Stoned.

Angelina

Stoned.Angelina, discovered on 1994.01.05, is mostly similar to the original Stoned virus with a few notable exceptions. This variant moves the original boot sector of a hard disk to side 0, cyl 0 sector 2. On floppies, it calculates the last sector of the root directory and moves the original MBR there. The virus also has stealth capabilities that redirects any reads to the places the virus is stored on both floppies and hard disks. The variant contains a body of text that is never displayed on the screen:

Greetings for ANGELINA!!!/by Garfield/Zielona Gora

The text string indicates the possible location of the virus's origin.

This virus has caused major embarrassments for several companies on two occasions. In 1995 October, Seagate 5850 (850MB) IDE hard drives which were factory-sealed were found to have the virus. Again in 2007 September, Medion laptops sold by the Aldi retail chain in Germany and Denmark were found to have been infected with the virus, which by then was over 13 years old. In addition to Windows Vista, the laptops came with Bullguard Antivirus preinstalled, which detected, but failed to remove the virus.

Many considered getting the old virus a novelty. The juxtaposition of an ancient virus with new computers and operating systems caused some people to become a bit nostalgic for an era when computer viruses were intelligent and humorous, as opposed to the malware of the day, which was mostly used for spamming, phishing, pop-ups and other shady if not completely illegal activities.

Many news outlets reported that Windows Vista had been infected with the virus. This is technically incorrect. Boot sector viruses do not infect the operating system unless they are multipartite viruses. In addition, the virus may not be able to stay in memory under newer operating systems, therefore one would need to have a floppy in the drive while the computer is booting in order for that disk to be infected. Most new laptops do not even have a floppy drive of any kind on the laptop itself, therefore one would need a USB floppy drive.

C, D

Stoned.C corrupts the Disk Partition Table while attempting to infect the MBR.

Stoned.D erases the entire hard disk on October 1.

Alive

This virus uses stealth algorithm while accessing to the MBR of the infected hard drive. After 240th (F0h) INT 13h call it displays the messages to top middle part of the screen:

A AM ALIVE

AntiExe

This is a stealth virus. It may disable the execution of some .exe files

Antigame

This variant disables INT 1, 3 (it sets these vectors to IRET instruction). It disables some video modes (it sets video mode back to standard one).

Azusa

Azusa, also known as Hong Kong, makes no attempt to save the original MBR. On a 360 kilobyte floppy, it overwrites the sector at Track 39, Head 1, Sector 8, the end of the disk. In some higher capacity floppies, this is in the middle of the disk. This variant may also interfere with printer operations after 32 boots, since it disables the system's COM1 and LPT1 ports.

Bloomingtion

Also known as NoInt, this variant can infect a disk when a user types a command like "DIR A:". Bloomington tries to prevent other programs from detecting it by causing read errors if partition table is tried to access.

Beijing

This variant, also known as June_4th or Bloody, is similar to the original, although it contains the message "Bloody! Jun. 4, 1989". The date is likely a reference to the Tienanmen Square Massacre.

Copy77

The 77th generation of this variant virus displays:

Copy 77 in job ...

Daniela

The Daniela variant deletes all system files on the hard disk or floppy it is booted from. The MBR's will contain the text:

Eu Te Amo Daniela

Dinamo

Dinamo stores the copy of the original MBR on cylinder 0 side 0 sector 11. It uses 2 Kilobytes of memory. When there is an error during the infected boot process, this variant will decrypt and display a message on the screen:

Dinamo(Kiev)-champion !!!

DiskWash

This variant formats disk sectors and displays the message:

From DiskWasher with love

Ebpr

Also known as Kiev, this variant possibly originates in Russia or Ukraine.It moves the MBR on hard drives to cylinder 0 side 0 sector 06. It uses 2 kilobytes of memory.

EmpireMonkey

EmpireMonkey is able to infect most disk types, but has some problems with 2.88 megabyte ED diskettes. On that type of disk, it partially overwrites the File Allocation Table. This virus moves and encrypts the MBR and partition table of the hard drive. If the system is booted from a clean disk, it will not find the hard drive because of this and the error message "Invalid drive specification" will show on the screen. The virus will not be noticeable if the system is booted from an infected disk or the infected hard drive. It takes up 1 kilobyte of memory.

EmpireMonkey originated in Edmonton, Alberta, Canada in 1991. It quicky spread to the UK, USA and Australia. For some time it was one of the most common viruses in the world.

Face

Stoned.Face erases the FAT of the floppies with data which is placed at the offset FACEh (FACE is hexadecimal for 64,206).

Flame

Also known as Stamford, this variant will infect a disk regardless of what operation is carried out on it. The virus stores the original boot sector or MBR at cylinder 25, sector 1, head 1 regardless of what media is infected an reserves one kilobyte of memory. Its payload displays colored flames on the screen.

GKCHP

This virus has stealth capabilities. It erases some hard drive sectors during the 90th boot of the virus. It also contains some text in Russian.

Hysteria

On October 19, this variant erases disk sectors and displays the message "Turbo Hysteria".

IntFF

IntFF changes keyboard scancodes, making the pressed key display something different from what the user intended. It searches for in the written buffer command INT 21h and changes it to INT FFh.

Lch15

This variant is a stealth virus. After the 90th boot with the virus from the infected hard drive, it will attempt to erase part of the CMOS memory (a part of the computer that contains passwords for the BIOS). It then erases the hard drive. It contains two strings of text:

   Lch15
   For pirates

LovChild

LovChild has stealth capabilities. It may also destroy data on the hard drive.

Love

This variant has at least two subvariants. Both the A and B variants contain
a string of text:

    Your PC is now ST NED in L VE with AT
    = "heart" symbol

Stoned.Love.A contains another string:
   From U of A with L VE  
   = "heart" symbol

The B variant has a 1 in 8 chance of displaying the text string common to both viruses.

Manitoba

Stoned.Manitoba simply overwrites the MBR rather than replacing it. While resident, it allocates two kilobytes of memory. The virus corrupts 2.88MB EHD floppies while infecting them. It has no activation routine. Antivirus experts believe it originated at the University of Manitoba.

May21

This variant disinfects floppy disks that are infected with Michelangelo. It displays a message on May 21 "ANTI March6 Karpachev Dmitr.".

Million

This variant does not save the original MBR. It overwrites the OEM message of the floppy boot sector with the string "1000000". It also displays "Non-System disk" when booting from an infected floppy.

NearDark

There are two subvariants of this variant. There is a 1 in 16 chance that they will erase the MBR and display the text: "Near Dark".

Nov7

When the system is booted in October, this variant displays a face symbol (01h ASCII). On November 7, it erases the MBR.

PC-AT

This variant is encrypted, but the message it contains is not.

   PC AT
   = "heart" symbol

Rostov

When booting from an infected floppy, there is a 1 ion 32 chance that the virus will delete eight sectors on the hard drive.

Scale

This variant saves the original MBR of floppies and hard drives at track 0, cylinder 0, sector 9. Sometimes it plays the tune (scale).

Sex

There are two subvariants of this variant. They save the MBR of a floppy to sector 3 and on cylinder0, Side 0, Sector 8 or 0/0/7 on the hard drive. Depending on the subvariant, it displays the message:

   "Stoned.Sex.a":  EXPORT OF SEX REVOLUTION ver. 1.1
   "Stoned.Sex.b":  EXPORT OF SEX REVOLUTION ver. 2.0

Spook

While infecting the hard drive, this virus writes 8 sectors to 1—9 sectors of the hard drive, and as a result, it can erase the system information. It contains texts:

   Spook 1.0
   LIM

Swedish

This variant contains the text string "Swedish Disaster", indicating its possible origin.

Torm

When booting from an infected disk, there is a 1 in 8 probability that this variant will display the message:

   Repent for ye shall be tormented...
   Tormentor B - RABID Int'nl Dev. Corp. '91

WXYC

This variant infects the first boot sector but not MBR of the hard drive. It contains two text strings:

   JAM WXYC
   WXYC rules this roost!

It may display the second string.

Zappa

On December 4, this virus erases disk sectors. It will also display the message "Dedicated to ZAPPA…".

Zapped

Zapped displays a message: "ZAPPED YOU!".

It may also erase disk sectors.

Other Variants

These are variants of the Stoned virus that there is either too little information on, or are too similar to the original to warrant any description. Variants that only do one thing or have one feature different from the original or another variant will be listed here with the thing that makes it different in parentheses.

  • Archub
  • Arcv
  • Aragon (encrypted)
  • AT
  • BackUSSR
  • Bite
  • BlackWorm
  • Bravo
  • Bunny
  • Cancer (displays message: "This computer is dying of cancer!")
  • Dallas
  • Damcdoom
  • Diablo
  • Digital93
  • Donald (displays text: "Donald Duck is a lie!!!")
  • Elythnia (1 of 8 probability displays: "Aaronexus of Elythnia!")
  • Gozar (decrypts and displays a message on November 11: "Gozar lives !")
  • Int_0B
  • Int_AA
  • Intruder
  • Ivt
  • J&M
  • Jugador
  • Kanishka
  • Kenya
  • KL
  • Knight
  • Konstantin
  • Lavot (decrypts and displays a message: "LAVOT NO ENSE?A"
  • Leo (On April 2, displays the message: "Happy birthday to Leo!")
  • Lera
  • Leszop (decrypts and displays a message: "leszoptad!")
  • Light (decrypts and displays a message: "(c)Light General THE LAST TEMPTATION")
  • Loa (plays a tune)
  • Lock
  • Love
  • Loy
  • Lpt
  • Lucky (decrypts and displays a message: "I wish you a lucky")
  • Lzr
  • Magic
  • March29 (erases disk sectors on March 29)
  • Mexican (may display text: "NO VOTES FOR EL PRI".)
  • MidNigh (displays message at midnight: "IT'S MID NIGH")
  • Mikola (prints "Mikola.b" when booting an infected disk)
  • Military (attempts to format the hard drive in November)
  • Minkin
  • Myrd
  • Nichols (periodically displays text "[Nichols] by Apache")
  • NoMsg
  • Satria (displays a picture)
  • Scrlock (disables writing to the hard drive if the Scroll key is pressed)
  • Scroll (scrolls the screen if Numlock is pressed and Scroll is released)
  • Sepultura
  • Service
  • Spirit
  • Survivor
  • Tiebud
  • TurboManiac (displays on October 19: "The Turbo Maniac was here..")
  • Vaucher
  • W-Boot
  • YMP (on 1st of every month displays "HAVE A NICE DAY (c)YMP")
  • Zaboot

Unconfirmed Variants

Reports of these variants come mostly from an extensive, if poorly sourced, Wikipedia entry, therefore their existence cannot be confirmed. Some of them may simply be a different name for a variant listed above. Others may not exist at all.

  • Damien
  • Flushed
  • Laodung
  • NOPhttp://wiw.org/~meta/vsum/view.php?vir=1306
  • Nulls
  • Sanded
  • Sonus
  • Teraz
  • WD1 to WD7

Effects

Stoned was one of the most long-lived viruses in history, making appearances in three decades. It spread from New Zealand, to Australia, North America and Europe.

Computers at the New Zealand Defense Department had problems with the virus. The Department ended up using this fact against critics from Australia who accused the Department of creating the virus.

The virus had been a problem in Australia since June of 1989. A Melbourne man was charged with computer trespass for loading the virus at Swinbourne Institute of Technology. In early August of 1989, it infected computers at the Australian Defense Department's division for the prevention of computer viruses. The virus infected computers at the department only a couple weeks later. Stoned made it into a sensitive area of the department in Canberra and allegedly destroyed important data.

Sources

Patricia Hoffman. Online VSUM, Stoned virus.

Mike Lawrie. The Text Files, An Explanation of how the Stoned Virus operates.

McAfee Antivirus, Stoned

Symantec Security Response, Stoned.Standard

-, Stoned.Daniela

-, Stoned.Dinamo

-, Stoned.Kiev

F-Secure Computer Virus Information Pages, Stoned

-, Azusa

-, Stoned.Ebpr

Securelist, Stoned.a

Kelly Fiveash. The Register, Vista attacked by 13-year-old virus. 2007.09.17

Edinburgh University PC Virus Review 1993

Smart Computing, Self-Replicating Code Viruses: Put Them Under The Microscope. 2003.02

Sunbelt Blog, Update on Stoned virus infection of German notebooks

ComputerHope, Stoned empire monkey virus information.

J. Holley. The Risks Digest, Marijuana Virus wreaks havoc in Australian Defence Department. 1989.08.14

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License