________________________________________________________________________ THE COMPUTER INCIDENT ADVISORY CAPABILITY CIAC INFORMATION BULLETIN ________________________________________________________________________ The Stoned (Marijuana or New Zealand) Virus on MS DOS Computers July 12, 1990, 1200 PST Number A-28 ________________________________________________________________________ Name: Stoned virus (also known as the Marijuana or New Zealand virus) Types: At least four known variants Platform: MS DOS computers Damage: Not deliberately destructive--however, this virus overwrites some of boot sector/master boot record on infected disks (see text) Symptoms: May write "Your computer is now stoned. Legalize marijuana" or similar message on screen (one variant has this message removed); may create hard disk errors or the inability to boot Detection: VIRALERT, VIRHUNT, RESSCAN, CodeSafe, F-PROT, IBM Scan Eradication: VIRHUNT, RESSCAN, CodeSafe, CleanUp, F-PROT and others (contact CIAC for information about these products) Critical Stoned Virus Facts _______________________________________________________________________ The Stoned (Marijuana or New Zealand) virus is now one of the most common viruses among MS-DOS systems. The Stoned virus infects the boot sector/master boot record of floppy and hard disks. Once resident in memory, this virus may display a message similar to the following: Your computer is now stoned. Legalize marijuana. Although the Stoned virus apparently was not programmed to do damage, this virus can nevertheless damage a system. The Stoned virus may overwrite parts of infected disks that contain directory information or portions of user data files, specifically the boot sector of floppy disks along with Head 0, Track 0, Sector 3 on a diskette or the master boot record and Head 0, Track 0, Sector 7 on hard disks. If hard disks have last been partitioned under DOS 2, this virus overwrites portions of the File Allocation Table (FAT) as well. The result is overwriting of data files and indications of disk errors by CHKDSK. Variants of the Stoned virus produce slightly different effects: Stoned-B: infection of the hard disk's partition table, Stoned-C: no displayed message Stoned-D: infection of high density diskettes You can detect the Stoned virus with a variety of scan packages such as VIRALERT, VIRHUNT, RESSCAN, CodeSafe, F-PROT, IBM Scan. You can eradicate this virus by using packages such as VIRHUNT, RESSCAN, CodeSafe, CleanUp, F-PROT. If you cannot obtain a virus removal utility, we suggest you back up your applications and data from your hard disk, and then low-level format the disk to ensure that the master boot record is removed. Boot from a clean, writeprotected operating system disk, restore your system, and then restore the application and data files. After you have cleaned your system, either with an eradication product or by formating the drive, scan again using a virus detection utility to ensure that the virus is not present. To ensure that your system does not immediately become re-infected, be sure to scan all of floppy disks for the virus as well. To clean floppies you may use one of the suggested products, or you may format new floppies on a clean system, then use the "copy" command to copy files from the infected floppies to the clean ones. Format the infected floppies to reuse them. The Stoned virus typically spreads wherever floppy disks are shared. Infections can be easily prevented by adopting sound protection procedures. The Stoned virus infects hard disks when a PC is booted from an infected floppy. This virus does not infect applications, however. If you must boot from a floppy disk, ensure with a virus scan package that this disk is not infected, and write-protect this disk. This will prevent your boot disk from becoming infected. (Warning: under some circumstances the Stoned-infected floppy disk can infect a machine even if the computer does not have a bootable operating system on it.) Additional Note: Basic information about the Stoned virus has been available through the CIAC Bulletin Board (FELIX) and CIAC Bulletin A-15 since the beginning of this year. For additional information or assistance, please contact CIAC: David S. Brown (415) 423-9878 or (FTS) 543-9878 FAX: (415) 423-0913, (FTS) 543-0913 or (415) 422-4294 Send e-mail to: ciac@tiger.llnl.gov The assistance of Ken Van Wyk and Dave Chess is gratefully acknowledged. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.