What is the Stoned Virus

What is the Stoned Virus?

The Stoned viruses infects the DOS boot sector on floppy disks and the master
boot record (MBR) on the first hard drive (80h). It is not a stealth virus,
it does not infect files, and cannot infect over networks.

Upon booting from an infected disk, the virus checks the MBR to see if it is
infected. If it isn't, the virus now infects it. This is the only time that
the hard drive can be infected. If you remove the virus from the MBR while it
is active in memory, the MBR will not be reinfected. When you boot from an
infected diskette, there is a 1 in 8 chance that the virus will beep and
print its message.

The infected boot sector or MBR contains the plainly visible message:
"Your PC is now stoned! LEGALIZE MARIJUANA!" starting at offset 18Ah in the
sector. By looking at the floppy boot or MBR sector with a disk editor, you
can verify an infection. There is also a fairly common minor variant, which
is also detected by most antivirus as being the same virus, in which the
"LEGALIZE MARIJUANA" portion of the message has been corrupted.

The virus was programmed by a student in New Zealand in 1987. By design, the
virus infects MBRs and the boot sector on 360k disks and under such
conditions, the virus is relatively benign. As mentioned above, however, the
virus can damage data on any floppy disk it infects and the probability of
damages increases as the capacity of the diskette does. For example, on a
1.44 meg floppy, the virus overwrites entries 17-32 in the root.

Most antivirus products use the name Stoned, other names are New Zealand,
Marijuana, Stoned III, and many more. 

How does the Stoned Virus Spread?

All floppies have a boot sector, even if they are non-system (non-bootable)
diskettes.  Any time you start or reset the computer with a system (bootable)
or non-system (non-bootable) diskette, the computer will read the boot sector
of the diskette.  Since the Stoned virus is contained in the boot sector, the
virus will activate, move into memory and then infect your hard drive. You
will not see this activity at all.  This happens so quickly that you will
receive either an error message such as non-system disk or disk error or the
computer will boot up to the A: drive. Regardless, if you attempt to boot
from an infected diskette your hard drive will be infected with the Stoned
virus. 

After the hard drive is infected, every time you boot your system you will
activate the virus into memory. The virus will check the date first and then
sit in memory waiting for you to access a floppy.  For every floppy you
access, the virus will contaminate the floppy boot record.  You can now see
how easy it is to pass a virus from one system to another.

How to repair the Stoned Virus:

If Hard Drive is Infected with the Stoned Virus:
To repair the Stoned virus, first power off the system, and then reboot from
drive A: with a write-protected system (bootable) diskette that has the same
version of DOS that is installed on the hard drive. 

You can use one of the following repair procedures:

1.	Boot from a RESCUE diskette created with NAV 3.0, as long as it was
        created before the hard drive was infected.
	
 	Once booted up from the Rescue diskette on drive A:, Type RESCUE
        and press Enter.

 	Select Restore  and choose both the Boot Record and Partition Table
        Information and press Enter.
	
	
	
2.  Boot from a non-infected MSDOS system (bootable) diskette on drive A:
	
 	Run the Norton AntiVirus DOS Clinic from either the original
        installation diskettes or from your hard drive. (NAV.EXE)

 	Select all Local Hard Drives and press Enter on the hard drive.

 	Once the Stoned virus is detected (but not in memory), choose the
        Repair option and press Enter.

 	If the Stoned virus is detected in memory, than the system (bootable)
        diskette is also infected.
	
3.	If you have MS-DOS 5.0 or higher (be careful and have a backup)

        Change to the DOS directory on the hard drive.
 	Type FDISK /MBR and press Enter.
 	Turn off your computer.
 	Reboot you computer normally ; the Stoned virus should be gone.

Note:  Since the only way this hard drive could be infected with the Stoned
       virus was through an infected diskette, you must scan all your
       diskettes for the Stoned virus.






If Floppy Diskette is Infected with the Stoned Virus:
Make sure you do not try to reboot with this diskette, if you do, you will
infect your hard drive.

If Norton AntiVirus does not repair this virus its  because either you do
not have Norton Antivirus 2.1 or higher and/or you do not have the latest
definitions file for your version of Norton AntiVirus.  If this is the case
you can always reformat you diskette that is infected with the Stoned virus.

Note:  It is always wise to have the latest version of NAV and the latest
       definitions for your version.  There are different viruses that might
       act like Stoned, but are not.

Because of this, using the FDISK/MBR switch on a non Stoned virus might cause
damage to the logical hard drive.

Virus Library Description Information
Virus Information:
Virus Names and Aliases:  The most common names by which the virus is known.
Infects: Defines where the virus attacks or infects
         (Boot Records or File Infector).
Likelihood: Options are: Common and Rare.
Length: Length, in bytes, of the virus code.

Characteristics:
Memory Resident: Stays in memory after it activates.
Size Stealth: Tries to conceal itself from detection by disguising its size.
Full Stealth: Tries to conceal itself from detection by disguising its size and attributes.
Triggered Event: Performs some action based on certain criteria
    (for example a date on the computer's system clock).
Encrypting: Encrypts its code to make detection more difficult.
Polymorphic: Appears differently in each infected file.

Note: There are over  20 variants of the Stoned virus, depending on the
      virus program what they might call this strain of the S.



Virus Name:   Stoned.16
Aliases:      Brunswick,Stoned 3
Infects:      Floppy and Master Boot Records
Likelihood:   Rare
Length:       512 bytes

Characteristics:
 Memory Resident
Yes
Triggered Event
No

Size Stealth 
No
Encrypting 
No

Full Stealth
No
Polymorphic
No

			
Comments:
This variant of Stoned stores the original master boot sector on
physical sector 16

Virus Name:   Stoned.Empire
Aliases:          Stoned.Empire
Infects:          Floppy and Master Boot Records
Likelihood:   Rare
Length:       512 bytes

Characteristics:
 Memory Resident
Yes
Triggered Event
No

Size Stealth 
No
Encrypting 
Yes

Full Stealth
Yes
Polymorphic
No


Comments
The boot record of an infected disk contains a message about Desert
Storm. The virus overwrites sector 10 of the floppy disk directory,
destroying any data located there

Virus Name:   Stoned.Generic
Aliases:      
Infects:      Floppy and Master Boot Records
Likelihood:   Rare
Length:       512 bytes

Characteristics:
 Memory Resident
Yes
Triggered Event
No

Size Stealth 
No
Encrypting 
Yes

Full Stealth
No
Polymorphic
No


Comments
This virus does little besides replicate.




