Home / malwarePDF  

Virus:Boot/Stoned


First posted on 27 July 2010.
Source: SecurityHome

Aliases :

There are no other names known for Virus:Boot/Stoned.

Explanation :

A program that secretly and maliciously integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.

Additional DetailsVirus:Boot/Stoned is a simple virus that seems to have been designed to be harmless. Due to a mistake however, it did not quite work out that way. Stone is able to infect the boot sectors of floppy disks. The virus has spawned a large number of variants.

A computer infected with this virus will sometimes display the following message when it starts.

€ Your computer is now stoned.
Stoned was one of the most widespread viruses in existence.


Infection

On an infected diskette, the original boot sector is stored on track 0, head 1, sector 3. This is the last sector of the root directory on a 360K diskette, so this will work unless the root directory contains more than 96 files, which is rather unlikely. Overwriting this sector on a 1.2M diskette is, however, much more likely to cause damage.

Variants

There are a large number of Stoned variants, many with no significant differences. The most notable are:

- This virus
This variant is one of several politically motivated viruses and contains the message:

€ "Bloody! Jun. 4, 1989".
- Swedish Disaster
This virus contains the string "The Swedish Disaster", which may indicate it was written in Sweden.

- Manitoba
Closely related to the original Stoned, Manitoba's main difference is that on floppies it doe not store the original boot sector anywhere, just overwrites it. Manitoba allocates two kilos of memory while in resident and corrupts 2.88MB EHD floppies while infecting them. Manitoba has no activation routine. It was probably written in the University of Manitoba.

- NoInt
NoInt was also known as Stoned III. It infects boot sectors on diskettes and Master Boot Records (MBRs) on hard disks. It infects a hard disk only if you try to boot from an infected diskette. The virus will be loaded into memory if the hard disk is infected and the machine is booted from it. Once the virus is in the memory, it will infect all diskettes that are used in the machine, unless the diskettes are write protected. It is sufficient to enter a command like DIR A: to get a diskette infected.

NoInt tries to prevent other programs from detecting it by causing read errors if partition table is tried to access. It does not do anything else visible and it does not contain any texts inside it. It is possible though that it causes damage to directories indirectly. The amount of base memory decreases by 2 kB.

- Flame
This virus is a standard boot sector infector that will infect the MBR or the boot sector of a floppy. If the computer is booted from an infected floppy, the virus immediately attempts to infect the MBR of the hard disk.

Once Flame is active in memory, any operation on a non-infected floppy will result in infection. Virus reserves 1KB of DOS memory. The virus stores the original boot sector or MBR at cylinder 25, sector 1, head 1 regardless of what media is infected.

Flame saves the current month when it infects a system. When the month changes, it activates by displaying coloured flames on screen and overwriting the MBR.

- Angelina
This Stoned variant has stealth-mechanisms. It is probably made in Poland and contains the following texts:

€ Greetings for ANGELINA!!!/by Garfield/Zielona Gora
Zielona Gora is a town in Poland. In October 1995, Angelina was found on new Seagate 5850 (850MB) IDE drives which were still factory sealed.

Last update 27 July 2010

 

TOP