Stoned (computer virus)

Stoned
Hex dump showing "Your PC is now Stoned!" statement at the last 512-byte sector of Master Boot Record
TypeComputer virus
SubtypeBoot virus
OriginNew Zealand
AuthorsUnknown
Technical details
PlatformDOS

Stoned is a boot sector computer virus created in 1987. It is one of the first viruses and is thought to have been written by a student in Wellington, New Zealand.[1][2] By 1989 it had spread widely in New Zealand and Australia,[3] and variants became very common worldwide in the early 1990s.[4]

A computer infected with the original version had a one in eight probability[5][6] that the screen would declare: "Your PC is now Stoned!", a phrase found in infected boot sectors of infected floppy disks and master boot records of infected hard disks, along with the phrase "Legalise Marijuana". Later variants produced a range of other messages.

Original version

The original "Your PC is now stoned. Legalise Marijuana" was thought to have been written by a student in Wellington, New Zealand.[1][7]

This initial version appears to have been written by someone with experience only with IBM PC 360KB floppy drives, as it misbehaves on the IBM AT 1.2MB floppy, or on systems with more than 96 files in the root directory. On higher capacity disks, such as 1.2 MB disks, the original boot sector may overwrite a portion of the directory.

The message displays if the boot time was exactly divisible by 8. On many IBM PC clones at the time, boot times could vary, so the message would display randomly (1 time in 8). On some IBM PC compatible machines or on original IBM PC computers, the boot time was constant, so an infected computer would either never display the message or always display the message. An infected computer with a 360K disk and a 20MB or less hard disk, which never displayed the message was one of the first examples of an asymptomatic virus carrier, which would work with no impediment to its function, but which would infect any disks inserted into it.

On hard disks, the original master boot record is moved to cylinder 0, head 0, sector 7. On floppy disks, the original boot sector is moved to cylinder 0, head 1, sector 3, which is the last directory sector on 360 kB disks. The virus will "safely" overwrite the boot sector if the root directory has no more than 96 files.

The PC was typically infected by booting from an infected diskette. Computers, at the time, would default to booting from the A: diskette drive if it had a diskette. The virus was spread when a floppy diskette was accessed with an infected computer. That diskette was now, itself, a source for further spread of the virus. This was much like a recessive gene - difficult to eliminate - because a user could have any number of infected diskettes and yet not have their systems infected with the virus unless they inadvertently boot from an infected diskette. Cleaning the computer without cleaning all diskettes left the user susceptible to a repeat infection. The method also furthered the spread of the virus in that borrowed diskettes, if placed into the system, were now able to carry the virus to a new host. On the other hand setting a clean computer to boot preferentially from the hard disk would prevent infection in the normal course of events.

Variants

The virus image is very easily modified (patched); in particular a person with no knowledge of programming can alter the message displayed. Many variants of Stoned circulated, some only with different messages.

Beijing, Bloody!

The virus has the string "Bloody! Jun. 4, 1989". On this date, the Tiananmen Square protests were suppressed by the People's Republic of China.

Swedish Disaster

The virus has the string "The Swedish Disaster".

Manitoba

Manitoba has no activation routine and does not store the original boot sector on floppies; Manitoba simply overwrites the original boot sector. 2.88MB EHD floppies are corrupted by the virus.

Manitoba uses 2KB memory while resident.

NoInt, Bloomington, Stoned III

NoInt tries to stop programs from detecting it. This causes read errors if the computer tries to access the partition table. Systems infected with NoInt have a decrease of 2 kB in base memory.

Flame, Stamford

A variant of Stoned was called Flame (later unrelated sophisticated malware was given the same name). The early Flame uses 1 kB of DOS memory. It stores the original boot sector or master boot record at cylinder 25, head 1, sector 1 regardless of the media.

Flame saves the current month of the system when it is infected. When the month changes, Flame displays colored flames on the screen and overwrites the master boot record.

Angelina

Angelina has stealth mechanisms. On hard disks, the original master boot record is moved to cylinder 0, head 0, sector 9.

Angelina contains the following embedded text, not displayed by the virus: "Greetings from ANGELINA!!!/by Garfield/Zielona Gora" (Zielona Góra is a town in Poland).

  • In October 1995 Angelina was discovered in new factory-sealed Seagate Technology 5850 (850MB) IDE drives.[8]
  • In 2007 a batch of Medion laptops sold through the Aldi supermarket chain appeared to be infected with Angelina.[9] A Medion press release explained that the virus was not really present; rather, it was a spurious warning caused by a bug in the pre-installed antivirus software, Bullguard. A patch was released to fix the error.[10] The Bullguard malfunction highlights one of the issues (along with loss of performance and frustrating pop-ups asking the user for money) of OEMs pre-installing what Microsoft internally referred to as "craplets" onto Windows PCs to make up for the licensing costs of Windows. Such bloatware is often criticized in the tech media, even from reporters who are usually friendly to Microsoft.[11]

Bitcoin blockchain incident

On 15 May 2014, the signature of the Stoned virus was inserted into the bitcoin blockchain. This caused Microsoft Security Essentials to recognize copies of the blockchain as the virus, prompting it to remove the file in question, and subsequently forcing the node to reload the block chain from that point, continuing the cycle.[12][13]

Only the signature of the virus had been inserted into the blockchain; the virus itself was not there, and if it were, it would not be able to function.[14]

The situation was averted shortly thereafter, when Microsoft prevented the blockchain from being recognized as Stoned.[15] Microsoft Security Essentials did not lose the ability to detect a real instance of Stoned.

See also

References

  1. ^ a b "...a brief history of PC viruses". IBM Research. Archived from the original on 27 October 2012.
  2. ^ "The early days", History of Malware
  3. ^ "Marijuana Virus wreaks havoc in Australian Defence Department". The Risks Digest. 9 (9). 14 August 1989. Retrieved 7 August 2007.
  4. ^ "F-Secure Virus Descriptions : Stoned". F-secure.com. Retrieved 7 August 2007.
  5. ^ "Analysis of Stoned", Peter Kleissner
  6. ^ "The “Stoned” PC Virus" Archived 24 October 2014 at the Wayback Machine, Commented disassembly of virus code at computerarcheology.com
  7. ^ "The early days" Archived 14 February 2013 at the Wayback Machine, History of Malware
  8. ^ "Virus:Boot/Stoned". Retrieved 27 August 2010.
  9. ^ "Boot virus shipped on German laptops". Virus Bulletin. Retrieved 8 January 2008.
  10. ^ "Wichtige Produktinformation zum Notebook MD 96290" (in German). Medion AG. 10 November 2007. Archived from the original on 10 November 2007. Retrieved 11 January 2017.
  11. ^ "Beat it, bloatware: How to clean Superfish and other crap off your PC". PCWorld. 19 February 2015. Retrieved 19 July 2020.
  12. ^ "Microsoft Security Essentials reporting false positives in the Bitcoin blockchain, constantly notifying users". answers.microsoft.com.
  13. ^ Chirgwin, Richard. "Bitcoin blockchain allegedly infected by ancient 'Stoned' virus". The Register.
  14. ^ "A Virus Scare in the Blockchain: Traces of DOS "Stoned" Found • r/Bitcoin". www.reddit.com. 19 May 2014.[user-generated source]
  15. ^ Wei, Wang. "Ancient 'STONED' Virus Signatures found in Bitcoin Blockchain".