Stoned (computer virus)
Hexcode showing "Your PC is now Stoned!" statement at the last 512-byte sector of Master Boot Record | |
Type | Computer virus |
---|---|
Subtype | Boot virus |
Point of origin | New Zealand |
Author(s) | Unknown |
Operating system(s) affected | DOS |
Stoned is the name of a boot sector computer virus created in 1987. It is one of the very first viruses and is thought to have been written by a student in Wellington, New Zealand.[1][2] By 1989 it had spread widely in New Zealand and Australia,[3] and variants became very common worldwide in the early 1990s.[4]
A computer infected with the original version had a one in eight probability[5][6] that the screen would declare: "Your PC is now Stoned!", a phrase found in infected boot sectors of infected floppy disks and master boot records of infected hard disks, along with the phrase "Legalise Marijuana". Later variants produced a range of other messages.
Original version
The original "Your computer is now stoned. Legalise Marijuana" was thought to have been written by a university student in Wellington, New Zealand.[7][8]
This initial version appears to have been written by someone with experience only with IBM PC 360KB floppy drives, as it misbehaves on the IBM AT 1.2MB floppy, or on systems with more than 96 files in the root directory. On higher capacity disks, such as 1.2 MB disks, the original boot sector may overwrite a portion of the directory.
On hard disks, the original master boot record is moved to cylinder 0, head 0, sector 7. On floppy disks, the original boot sector is moved to cylinder 0, head 1, sector 3, which is the last directory sector on 360 kB disks. The virus will "safely" overwrite the boot sector if the root directory has no more than 96 files.
The PC was typically infected by booting from an infected diskette. Computers, at the time, would default to booting from the A: diskette drive if it had a diskette. The virus was spread when a floppy diskette was accessed with an infected computer. That diskette was now, itself, a source for further spread of the virus. This was much like a recessive gene - difficult to eliminate - because a user could have any number of infected diskettes and yet not have their systems infected with the virus unless they inadvertently boot from an infected diskette. Cleaning the computer without cleaning all diskettes left the user susceptible to a repeat infection. The method also furthered the spread of the virus in that borrowed diskettes, if placed into the system, were now able to carry the virus to a new host.
Variants
The virus image is very easily modified (patched); in particular a person with no knowledge of programming can alter the message displayed. Many variants of Stoned circulated, some only with different messages.
Beijing, Bloody!
The virus has the string "Bloody! Jun. 4, 1989". On this date, the Tiananmen Square protests were suppressed by the People's Republic of China.
Swedish Disaster
The virus has the string "The Swedish Disaster".
Manitoba
Manitoba has no activation routine and does not store the original boot sector on floppies; Manitoba simply overwrites the original boot sector. 2.88MB EHD floppies are corrupted by the virus.
Manitoba uses 2KB memory while resident.
NoInt, Bloomington, Stoned III
NoInt tries to stop programs from detecting it. This causes read errors if the computer tries to access the partition table. Systems infected with NoInt have a decrease of 2 kB in base memory.
Flame, Stamford
A variant of Stoned was called Flame (later unrelated sophisticated malware was given the same name). The early Flame uses 1 kB of DOS memory. It stores the original boot sector or master boot record at cylinder 25, head 1, sector 1 regardless of the media.
Flame saves the current month of the system when it is infected. When the month changes, Flame displays colored flames on the screen and overwrites the master boot record.
Angelina
Angelina has stealth mechanisms. On hard disks, the original master boot record is moved to cylinder 0, head 0, sector 9.
Angelina contains the following embedded text, not displayed by the virus: "Greetings from ANGELINA!!!/by Garfield/Zielona Gora" (Zielona Góra is a town in Poland).
- In October 1995 Angelina was discovered in new factory-sealed Seagate Technology 5850 (850MB) IDE drives.[9]
- In 2007 a batch of Medion laptops sold through the Aldi supermarket chain appeared to be infected with Angelina.[10] A Medion press release explained that the virus was not really present, rather, it was a spurious warning caused by a bug in the pre-installed antivirus software, Bullguard. A patch was released to fix the error.[11]
Bitcoin blockchain incident
On May 15, 2014, the signature of the Stoned virus was inserted into the bitcoin blockchain. This caused Microsoft Security Essentials to recognize the block chain as the virus, prompting it to remove the file in question, and subsequently forcing the node to reload the block chain from that point, continuing the cycle.[12][13]
Only the signature of the virus had been inserted into the blockchain; the virus itself was not there, and if it were, it would not be able to function.[14]
The situation was averted shortly thereafter, as Microsoft had prevented the block chain from being recognized as Stoned.[15] Microsoft Security Essentials did not lose the ability to detect a real instance of Stoned.
See also
- Brain (computer virus), an earlier boot sector virus
- Computer virus
- Comparison of computer viruses
References
- ↑ "...a brief history of PC viruses.", IBM Research
- ↑ "The early days", History of Malware
- ↑ "Marijuana Virus wreaks havoc in Australian Defence Department". The Risks Digest. 9 (9). 14 August 1989. Retrieved 2007-08-07.
- ↑ "F-Secure Virus Descriptions : Stoned". F-secure.com. Retrieved 2007-08-07.
- ↑ "Analysis of Stoned", Peter Kleissner
- ↑ "The “Stoned” PC Virus", Commented disassembly of virus code at computerarcheology.com
- ↑ "...a brief history of PC viruses.", IBM Research
- ↑ "The early days", History of Malware
- ↑ "Virus:Boot/Stoned". Retrieved 2010-08-27.
- ↑ "Boot virus shipped on German laptops". Virus Bulletin. Retrieved 2008-01-08.
- ↑ "Wichtige Produktinformation zum Notebook MD 96290". Medion AG. 2007-11-10. Archived from the original on 2007-11-10. Retrieved 2017-01-11.
- ↑ https://answers.microsoft.com/en-us/protect/forum/mse-protect_updating/microsoft-security-essentials-reporting-false/0240ed8e-5a27-4843-a939-0279c8110e1c?tm=1400189799602&auth=1
- ↑ http://www.theregister.co.uk/2014/05/18/bitcoin_user_stoned_on_virus_warnings/
- ↑ Template:Cite reddit
- ↑ http://thehackernews.com/2014/05/microsoft-security-essential-found.html