Stoned (computer virus)

The original "Your PC is now stoned. Legalise Marijuana" was thought to have been written by a student in Wellington, New Zealand.[http://www.gdatasoftware.com/information/security-labs/information/history-of-malware.html "The early days"] {{Webarchive|url=https://web.archive.org/web/20130214002724/http://www.gdatasoftware.com/information/security-labs/information/history-of-malware.html |date=14 February 2013 }}, History of Malware

This initial version appears to have been written by someone with experience only with IBM PC 360{{nbs}}KB floppy drives, as it misbehaves on the IBM AT 1.2{{nbs}}MB floppy, or on systems with more than 96{{nbs}}files in the root directory. On higher capacity disks, such as 1.2{{nbs}}MB disks, the original boot sector may overwrite a portion of the directory.

The message displays if the boot time was exactly divisible by 8. On many IBM PC clones at the time, boot times could vary, so the message would display randomly (1 time in 8). On some IBM PC compatible machines or on original IBM PC computers, the boot time was constant, so an infected computer would either never display the message or always display the message. An infected computer with a 360{{nbs}}KB disk and a 20{{nbs}}MB or less hard disk which never displayed the message was one of the first examples of an asymptomatic virus carrier, {{nowrap|{{em|i.e.}}{{tsp}}despite}} no impediment to its function, the infected computer could, and would, still go on to infect any disks inserted into it.

On hard disks, the original master boot record is moved to cylinder 0, head 0, sector 7. On floppy disks, the original boot sector is moved to cylinder 0, head 1, sector 3, which is the last directory sector on 360 kB disks. The virus will "safely" overwrite the boot sector if the root directory has no more than 96 files.

The PC was typically infected by booting from an infected diskette. Computers, at the time, would default to booting from the A: diskette drive if it had a diskette. The virus was spread when a floppy diskette was accessed with an infected computer. That diskette was now, itself, a source for further spread of the virus. This was much like a recessive gene⁠{{nowrap|{{hsp}}{{mdash}}{{hsp}}}}difficult to eliminate, because a user could have any number of infected diskettes and yet not have their systems infected with the virus unless they inadvertently boot from an infected diskette. Cleaning the computer without cleaning all diskettes left the user susceptible to a repeat infection. The method also furthered the spread of the virus in that borrowed diskettes, if placed into the system, were now able to carry the virus to a new host. On the other hand setting a clean computer to boot preferentially from the hard disk would prevent infection in the normal course of events.

The virus image is very easily modified (patched); in particular a person with no knowledge of programming can alter the message displayed. Many variants of Stoned circulated, some only with different messages.

This variant has the string "Bloody! Jun.{{nbs}}4, 1989". On this date, the Tiananmen Square protests were suppressed by the People's Republic of China.

This variant displays the string "The Swedish Disaster".

The Manitoba variant has no activation routine and does not store the original boot sector on floppies; Manitoba simply overwrites the original boot sector. 2.88{{nbs}}MB EHD floppies are corrupted by the virus. Manitoba uses 2{{nbs}}KB memory while resident.

The NoInt variant tries to stop programs from detecting it. This causes read errors if the computer tries to access the partition table. Systems infected with NoInt have a decrease of 2{{nbs}}KB in base memory.

A variant of Stoned called Flame (a later unrelated sophisticated malware was given the same name) uses 1{{nbs}}KB of DOS memory and stores the original boot sector or master boot record at cylinder{{nbs}}25, head{{nbs}}1, sector{{nbs}}1, regardless of the media. The Flame variant saves the current month of the system when it is infected. When the month changes, Flame displays colored flames on the screen and overwrites the master boot record.

The Angelina variant adds stealth mechanisms. On hard disks, the original master boot record is moved to cylinder{{nbs}}0, head{{nbs}}0, sector{{nbs}}9. Angelina contains the following embedded text, not displayed by the virus: "Greetings from ANGELINA!!!/by Garfield/Zielona Gora", with Zielona Góra being a town in Poland.

In October 1995, Angelina was discovered in new factory-sealed Seagate Technology 5850 (850{{nbs}}MB) IDE drives.{{cite web | url=http://www.f-secure.com/v-descs/stoned.shtml |title=Virus:Boot/Stoned |access-date=2010-08-27 }}

In 2007 a batch of Medion laptops sold through the Aldi supermarket chain appeared to be infected with Angelina.{{cite web |url=http://www.virusbtn.com/news/2007/09_14.xml |title=Boot virus shipped on German laptops |access-date=2008-01-08 |work= Virus Bulletin}} A Medion press release explained that the virus was not really present; rather, it was a spurious warning caused by a bug in the pre-installed antivirus software, Bullguard. A patch was released to fix the error.{{Cite web|url=http://www.medion.de/popup_md96290.htm |title=Wichtige Produktinformation zum Notebook MD 96290 |language=de |date=2007-11-10 |publisher=Medion AG |access-date=2017-01-11 |url-status=dead |archive-url=https://web.archive.org/web/20071110212011/http://www.medion.de/popup_md96290.htm |archive-date=2007-11-10 }} The Bullguard malfunction highlights one of the issues (along with loss of performance and frustrating pop-ups asking the user for money) of OEMs pre-installing what Microsoft internally referred to as "craplets" onto Windows PCs to make up for the licensing costs of Windows. Such bloatware is often criticized in the tech media, even from reporters who are usually friendly to Microsoft.{{Cite web|date=2015-02-19|title=Beat it, bloatware: How to clean Superfish and other crap off your PC|url=https://www.pcworld.com/article/2141881/beat-it-bloatware-how-to-clean-the-crap-off-your-pc.html|access-date=2020-07-19|website=PCWorld|language=en}}

On 15 May 2014, the signature of the Stoned virus was inserted into the bitcoin blockchain. This caused Microsoft Security Essentials to recognize copies of the blockchain as the virus, prompting it to remove the file in question, and subsequently forcing the node to reload the block chain from that point, continuing the cycle.{{cite web|url=https://answers.microsoft.com/en-us/protect/forum/mse-protect_updating/microsoft-security-essentials-reporting-false/0240ed8e-5a27-4843-a939-0279c8110e1c?tm=1400189799602&auth=1|title=Microsoft Security Essentials reporting false positives in the Bitcoin blockchain, constantly notifying users.|website=answers.microsoft.com}}{{cite web|url=https://www.theregister.co.uk/2014/05/18/bitcoin_user_stoned_on_virus_warnings/|title=Bitcoin blockchain allegedly infected by ancient 'Stoned' virus|first=Richard|last=Chirgwin|work=The Register}}

Only the signature of the virus had been inserted into the blockchain; the virus itself was not there, and if it were, it would not be able to function.{{notetag|Given that the blockchain is just data rather than executable code, the ramifications of "injecting" a virus into the blockchain on a computer are mainly (a) the presence of the virus likely triggering a false positive in that computer's antivirus scanning software ("false" because the virus isn't able to deliver its payload, as mentioned), and (b) the antivirus software proceeding to put the file containing the {{nowrap|virus{{tsp}}{{mdash}}{{tsp}}}}the blockchain itself in this {{nowrap|case{{tsp}}{{mdash}}{{tsp}}}}into quarantine, effectively corrupting the blockchain on that computer.{{cite web|url=https://www.reddit.com/r/Bitcoin/comments/25xeqd/a_virus_scare_in_the_blockchain_traces_of_dos/chlor9o|title=A Virus Scare in the Blockchain: Traces of DOS "Stoned" Found • r/Bitcoin|website=www.reddit.com|date=19 May 2014}}{{User-generated source|date=March 2022}}}}{{cite web|url=https://www.reddit.com/r/Bitcoin/comments/25xeqd/a_virus_scare_in_the_blockchain_traces_of_dos/chlor9o|title=A Virus Scare in the Blockchain: Traces of DOS "Stoned" Found • r/Bitcoin|website=www.reddit.com|date=19 May 2014}}{{User-generated source|date=March 2022}}

The situation was averted shortly thereafter, when Microsoft prevented the blockchain from being recognized as the actual Stoned virus.{{cite web|url=http://thehackernews.com/2014/05/microsoft-security-essential-found.html|title=Ancient 'STONED' Virus Signatures found in Bitcoin Blockchain|first=Wang|last=Wei|publisher=}} Doing so did not affect Microsoft Security Essentials's ability to detect a genuine infection by the Stoned virus or one of its variants.

{{Portal|1980s}}

• Brain (computer virus), an earlier boot sector virus
• Michelangelo (computer virus), a boot sector virus based on Stoned
• Barrotes
• Comparison of computer viruses

{{Notefoot}}

{{Reflist|2}}

{{Hacking in the 1980s}}

{{Authority control}}

{{Use dmy dates|date=November 2020}}

{{DEFAULTSORT:Stoned (Computer Virus)}}

Category:Boot viruses

Category:Hacking in the 1980s