Skip to main content

Some Common PC-DOS Viruses and What They Mean To You

1.3 The Stoned Virus

The Stoned virus, also known as the New Zealand or the Marijuana virus, is another of the most common PC-DOS viruses. It was originally found primarily in New Zealand and Australia, but has recently become widespread in the rest of the world. Unlike the 1813 virus, the Stoned is a boot-sector infector; it infects diskette boot sectors, and "master" boot sectors on hard disks. When a machine is booted from an infected diskette, the virus first infects the hard disk, and then installs itself in memory. Any diskette used in the A: drive thereafter is likely to be infected. Approximately once in eight boots from an infected floppy, the message "Your PC is now Stoned!" will be displayed during the boot process. When a machine is booted from an infected hard disk, the virus loads into memory and infects diskettes in the same way, but the message is never displayed.

1.3.1 Spread

The Stoned virus, like other boot-sector-infectors, spreads through the transfer of floppy diskettes rather than files. In general, though, spread scenarios for these viruses are similar to those given for the 1813 virus above. Some common scenarios include:

  • Shared machines - If a shared machine is once booted from an infected diskette, the hard disk will become infected, and the machine will serve as a center of infection. Diskettes used in the machine will be infected (unless they are write-protected), and carry the infection to any machine that is later booted from them.

  • Shared diskettes - Shared diskettes of the sort described above can serve as channels for the spread of boot-sector viruses as well, especially if they are designed to be placed in the A: drive and booted from (as many diagnostic and demo diskettes are). Such diskettes should always be write-protected, even if they are not designed to be bootable (see the next item).

  • "Non-bootable" diskettes - Even a "non-bootable" diskette that simply displays a message like "Non-system disk" when booted from can carry a boot-sector virus. Such disks do have a boot sector; it contains a small program that simply displays the "Non-system" message and waits for a keypress. If such a diskette becomes infected and is later booted from (typically by being accidentally left in the A: drive when the machine is brought up), the virus will infect the hard disk and load into memory before the "Non-system" message appears. So even a user who in good faith says that the office machine is "never" booted from a diskette may have in fact booted from an infected non-system floppy, and then forgotten about it.
These scenarios apply to boot-sector-infecting viruses in general. Although the details of the viruses may be different, they tend to spread through the same channels.

1.3.2 Symptoms

Again, the primary symptom of the Stoned virus is that an anti-virus program tells you it's there! The other symptoms are much less reliable, and an unprotected system can remain infected for long periods of time, spreading the infection to many diskettes, without the user noticing anything unusual. The "Your PC is now Stoned!" message appears only on the occasional boot from diskette; if a workstation's hard disk is infected, and all or most boots are from the hard disk, the message may never be seen (there are also variants of the virus that never display the message at all). Systems infected with the Stoned virus will show less total memory than expected if a utility like CHKDSK is run, but the average user will not notice the change. The only other symptom of the virus that is at all common is a corrupting of the file system on hard disks that were originally set up under DOS 2 (the virus stores the original boot sector on a part of the disk that is normally unused, but is used for the File Allocation Table on some disks set up with DOS 2). To remove the Stoned virus from an infected diskette, first make sure that the virus is not active in memory, by powering off and booting from a disk or diskette that is not infected. Then use the SYS command to rewrite the boot sector; or use COPY to copy off all important files, and then FORMAT to rewrite the entire diskette. Removing the Stoned virus from a hard disk requires a bit of extra work. While the 1813 virus may be removed simply by erasing infected programs, there is no equally simple way to restore an infected master boot sector. The DOS commands SYS and FORMAT only effect the DOS partition on a hard disk, and the master boot sector is not in any partition. The most drastic solution is a "low-level" format (generally available as a menu option from a diagnostic diskette), which overwrites all data on the physical disk drive (all files will be erased). There are some commercial tools specifically designed to repair Stoned-infected master boot sectors, and some utilities that will overlay the existing master boot sector with one of their own; contact your local DOS guru for details! In any case, remember to make sure the virus is not active in memory before cleaning up.

1.3.3 Protection

Like the 1813 virus, the Stoned is well-known and well-understood, and any good anti-virus program should be effective against it. It makes no attempt to hide itself, and infected boot sectors are easily recognizable.

[ Top of Page | Previous Page | Next Page | Table of Contents ]

 

  back to index