Stoned (computer virus)

Hexcode showing "Your PC is now Stoned!" statement at the last 512-byte sector of Master Boot Record

Stoned is the name of a boot sector computer virus created in 1987.

Notable for being an early boot sector virus (preceded by Brain), it was thought to have been written by a university student in Wellington, New Zealand^[1][2] - and by 1989 it had spread widely in New Zealand and Australia.^[3] It was one of the very first viruses, and was, along with its many variants, very common and widespread in the early 1990s.^[4]

When an infected computer started, there was a one in eight probability^[5][6] that the screen would declare:

Your PC is now Stoned!

The phrase is found in infected boot sectors of infected floppy disks and master boot records of infected hard disks along with the phrase "Legalise Marijuana".

Original version

The original "Your computer is now stoned. Legalise Marijuana" was thought to have been written by a university student in Wellington, New Zealand.^[7][8]

A version appears to have been written by someone with experience only with IBM PC 360KB floppy drives, as it misbehaves on the IBM AT 1.2MB floppy, or on systems with more than 96 files in the root directory.

On hard disks, the original master boot record is moved to cylinder 0, head 0, sector 7. On floppy disks, the original boot sector is moved to cylinder 0, head 1, sector 3. Cylinder 0, head 1, sector 3 is the last directory sector on 360 Kb disks, and the author believed that it was "safe" to overwrite. The virus will "safely" overwrite the boot sector unless the root directory has more than 96 files.

On higher capacity disks, such as 1.2 MB disks, the original boot sector may overwrite a portion of the directory.

Variants

Since it is easy to patch the messages seen, there are many variants of Stoned.

Beijing, Bloody!

The virus has the string "Bloody! Jun. 4, 1989". On this date the Tiananmen Square protests were suppressed by the People's Republic of China.

Swedish Disaster

The virus has the string "The Swedish Disaster".

Manitoba

Manitoba has no activation routine and does not store the original boot sector on floppies; Manitoba simply overwrites the original boot sector. 2.88MB EHD floppies are corrupted by the virus.

Manitoba uses 2KB memory while resident.

NoInt, Bloomington, Stoned III

NoInt tries to stop programs from detecting it. This causes read errors if the computer tries to access the partition table. Systems infected with NoInt have a decrease of 2 kB in base memory.

Flame, Stamford

Flame uses 1 kB of DOS memory. Flame stores the original boot sector or master boot record at cylinder 25, head 1, sector 1 regardless of the media.

Flame saves the current month of the system when it is infected. When the month changes, Flame displays colored flames on the screen and overwrites the master boot record.

Angelina

Angelina has stealth mechanisms. On hard disks, the original master boot record is moved to cylinder 0, head 0, sector 9.

Angelina contains the following text: "Greetings from ANGELINA!!!/by Garfield/Zielona Gora" (Zielona Góra is a Polish town). The text is never displayed by the virus.

In October 1995 Angelina was discovered in new Seagate Technology 5850 (850MB) IDE drives. The drives were still factory sealed.^[9]

In 2007, a batch of Medion laptops sold through the Aldi supermarket chain were found to have the Stoned.Angelina virus already present on the preinstalled Windows Vista operating system.^[10] Medion disseminated a press release explaining that Angelina virus was not really present in the laptops but the problem was about a pre-installed malware protection software (Bullguard) having a bug that gives an alert reporting the presence of the virus. The bug can be corrected via a patch released by Medion itself.^[11]

Other variants

Several other variants include:

See also

• Computer virus
• Comparison of computer viruses

References