|Type||Boot Sector Virus|
|Place of Origin||Wellington, New Zealand|
|Infection Length||512 bytes|
Stoned is a large family of boot sector viruses dating from early in 1988. Prominent members of this family include the infamous Michelangelo virus, that caused a great deal of panic in the early 1990's, and the Angelina virus from 1994 that reappeared in 2007 on infected laptops.
When the computer boots from an infected disk, the Stoned virus becomes resident in the memory. If it is booting from a disk other than the hard drive, it will check the hard drive's Master Boot Record and infect it if it is clean. Upon infecting a floppy disk, Stoned moves the Master Boot Record to sector 11 and places itself in sector 0. Upon infecting the hard drive, it moves the Master Boot Record to side 0, cyl 0, sector 7 and places itself in side 0, cyl 0, sector 1. It only infects 360 kilobyte 5.25 inch floppies and hard drives.
Once in memory, the virus will infect the Master Boot Records of any diskette accessed. It cannot reinfect the hard drive. Even if the virus is removed from the Master Boot Record while it is in the memory, it will not attempt to reinfect the hard drive.
There is a 1 in 8 chance that upon booting, Stoned will deliver its payload, causing the infected computer will beep and display its message:
Your PC is now stoned! LEGALIZE MARIJUANA!
The virus does not intentionally damage anything, but when the virus moves the original boot sector to sector 11 on 5.25 inch floppy disks, any files with directory entries on that sector will be lost. Some versions of DOS use sector 11 as part of the File Allocation Table, which can cause the disk's FAT being corrupted.
The Stoned virus was supposedly programmed by a student at Victoria University in Wellington, New Zealand.
The Stoned virus became very popular and many variants of the virus appeared, some of them becoming very prominent.
Stoned.Angelina, discovered on 1994.01.05, is mostly similar to the original Stoned virus with a few notable exceptions. This variant moves the original boot sector of a hard disk to side 0, cyl 0 sector 2. On floppies, it calculates the last sector of the root directory and moves the original MBR there. The virus also has stealth capabilities that redirects any reads to the places the virus is stored on both floppies and hard disks. The variant contains a body of text that is never displayed on the screen:
Greetings for ANGELINA!!!/by Garfield/Zielona Gora
The text string indicates the possible location of the virus's origin.
This virus has caused major embarrassments for several companies on two occasions. In 1995 October, Seagate 5850 (850MB) IDE hard drives which were factory-sealed were found to have the virus. Again in 2007 September, Medion laptops sold by the Aldi retail chain in Germany and Denmark were found to have been infected with the virus, which by then was over 13 years old. In addition to Windows Vista, the laptops came with Bullguard Antivirus preinstalled, which detected, but failed to remove the virus.
Many considered getting the old virus a novelty. The juxtaposition of an ancient virus with new computers and operating systems caused some people to become a bit nostalgic for an era when computer viruses were intelligent and humorous, as opposed to the malware of the day, which was mostly used for spamming, phishing, pop-ups and other shady if not completely illegal activities.
Many news outlets reported that Windows Vista had been infected with the virus. This is technically incorrect. Boot sector viruses do not infect the operating system unless they are multipartite viruses. In addition, the virus may not be able to stay in memory under newer operating systems, therefore one would need to have a floppy in the drive while the computer is booting in order for that disk to be infected. Most new laptops do not even have a floppy drive of any kind on the laptop itself, therefore one would need a USB floppy drive.
Stoned.Michelangelo is mostly similar to the original Stoned Virus. In addition to infecting the sectors of the original Stoned virus, Michelangelo infects sector 28 on 1.2 megabyte floppy disks. Upon infection, the Michelangelo virus becomes memory resident at the top of system memory but below the 640K DOS boundary. Interrupt 12's return is moved to insure that Michelangelo is not overwritten in memory.
It has a destructive payload that overwrites all data on the hard disk with random characters, making recovery of any data unlikely, if not impossible. It will only do this if the computer is booted on March 6 (the birthday of the artist Michelangelo, ironically, one of the vendors that sold software infected with the virus was DaVinci systems). In addition, the virus does not check if the MBR has been previously infected, therefore if a similar virus has already infected the MBR, it will move the previous virus to the location the original MBR was stored on, making recovery of the MBR impossible.
Some Michelangelo subvariants may display:
"March6.Tocoto.a": MBF virus *MENEM TOCOTO* B.B. "March6.Tocoto.b": MENEM TOCOTO virus 2"00
It is uncertain where the Michelangelo virus originates. Most sources say New Zealand, but Sweden and the Netherlands are also a possibility. It was discovered in 1991 April.
Michelangelo was one of the first computer viruses to receive a great deal of media attention. It caused a great deal of panic, but very little actual damage. Michelangelo only infected a few thousand computers making it an example of media hype.
The hype started in 1992 January, when a computer manufacturer accidentally shipped 500 computers infected with the virus and on the same day, another announced that it would ship computers with anti-virus software pre-installed. The coincidence raised the interest of the press. United Press International interviewed the "International Partnership Against Computer Terrorism", along with antivirus company president John McAffee and filed a news wire saying that hundreds of thousands of computers may be destroyed by the virus. Data recovery consultant Martin Tibor drew the interest of the press by offering such quotes as "I'm finding virus catastrophes everywhere" and "I see the victims of viruses all the time."
In the weeks preceding the payload trigger date, newspapers began to run "local impact" stories. Although some news agencies reported on the hysteria rather than the virus, few did anything to stop it (such as talk to real experts). Significant numbers of computer users bought anti-virus software. Predictions of the number of destroyed computers went into the millions. Some reporters logged onto CompuServe, GEnie, Prodigy, and America Online and posted messages to general message boards asking anyone if they wanted to be interviewed about the virus.
IBM research shows that around March 6, there was a dramatic rise in the number of reports of many different viruses, not just Michelangelo. The Stoned virus and its other variants were much more prevalent than Michelangelo. After the virus failed to destroy millions of computers, reporters asked the more accurate experts why the actual damage was so low and the predictions so high. The reporters learned that they had spoken to anti-virus software salesmen rather than virus experts. For the next 13 days, no newswire touched the subject of computer viruses.
Stoned.C corrupts the Disk Partition Table while attempting to infect the MBR.
Stoned.D erases the entire hard disk on October 1.
This virus uses stealth algorithm while accessing to the MBR of the infected hard drive. After 240th (F0h) INT 13h call it displays the messages to top middle part of the screen:
A AM ALIVE
This is a stealth virus. It may disable the execution of some .exe files
This variant disables INT 1, 3 (it sets these vectors to IRET instruction). It disables some video modes (it sets video mode back to standard one).
Azusa, also known as Hong Kong, makes no attempt to save the original MBR. On a 360 kilobyte floppy, it overwrites the sector at Track 39, Head 1, Sector 8, the end of the disk. In some higher capacity floppies, this is in the middle of the disk. This variant may also interfere with printer operations after 32 boots, since it disables the system's COM1 and LPT1 ports.
Also known as NoInt, this variant can infect a disk when a user types a command like "DIR A:". Bloomington tries to prevent other programs from detecting it by causing read errors if partition table is tried to access.
This variant, also known as June_4th or Bloody, is similar to the original, although it contains the message "Bloody! Jun. 4, 1989". The date is likely a reference to the Tienanmen Square Massacre.
The 77th generation of this variant virus displays:
Copy 77 in job ...
The Daniela variant deletes all system files on the hard disk or floppy it is booted from. The MBR's will contain the text:
Eu Te Amo Daniela
Dinamo stores the copy of the original MBR on cylinder 0 side 0 sector 11. It uses 2 Kilobytes of memory. When there is an error during the infected boot process, this variant will decrypt and display a message on the screen:
This variant formats disk sectors and displays the message:
From DiskWasher with love
Also known as Kiev, this variant possibly originates in Russia or Ukraine.It moves the MBR on hard drives to cylinder 0 side 0 sector 06. It uses 2 kilobytes of memory.
EmpireMonkey is able to infect most disk types, but has some problems with 2.88 megabyte ED diskettes. On that type of disk, it partially overwrites the File Allocation Table. This virus moves and encrypts the MBR and partition table of the hard drive. If the system is booted from a clean disk, it will not find the hard drive because of this and the error message "Invalid drive specification" will show on the screen. The virus will not be noticeable if the system is booted from an infected disk or the infected hard drive. It takes up 1 kilobyte of memory.
EmpireMonkey originated in Edmonton, Alberta, Canada in 1991. It quicky spread to the UK, USA and Australia. For some time it was one of the most common viruses in the world.
Stoned.Face erases the FAT of the floppies with data which is placed at the offset FACEh (FACE is hexadecimal for 64,206).
Also known as Stamford, this variant will infect a disk regardless of what operation is carried out on it. The virus stores the original boot sector or MBR at cylinder 25, sector 1, head 1 regardless of what media is infected an reserves one kilobyte of memory. Its payload displays colored flames on the screen.
This virus has stealth capabilities. It erases some hard drive sectors during the 90th boot of the virus. It also contains some text in Russian.
On October 19, this variant erases disk sectors and displays the message:
IntFF changes keyboard scancodes, making the pressed key display something different from what the user intended. It searches for in the written buffer command INT 21h and changes it to INT FFh.
This variant is a stealth virus. After the 90th boot with the virus from the infected hard drive, it will attempt to erase part of the CMOS memory (a part of the computer that contains passwords for the BIOS). It then erases the hard drive. It contains two strings of text:
Lch15 For pirates
LovChild has stealth capabilities. It may also destroy data on the hard drive.
This variant has at least two subvariants. Both the A and B variants contain a string of text:
Your PC is now ST NED in L VE with AT = "heart" symbol
Stoned.Love.A contains another string:
From U of A with L VE = "heart" symbol
The B variant has a 1 in 8 chance of displaying the text string common to both viruses.
Stoned.Manitoba simply overwrites the MBR rather than replacing it. While resident, it allocates two kilobytes of memory. The virus corrupts 2.88MB EHD floppies while infecting them. It has no activation routine. Antivirus experts believe it originated at the University of Manitoba.
This variant disinfects floppy disks that are infected with Michelangelo. It displays a message on May 21:
ANTI March6 Karpachev Dmitr.
This variant does not save the original MBR. It overwrites the OEM message of the floppy boot sector with the string "1000000". It also displays "Non-System disk" when booting from an infected floppy.
There are two subvariants of this variant. There is a 1 in 16 chance that they will erase the MBR and display the text:
When the system is booted in October, this variant displays a face symbol (01h ASCII). On November 7, it erases the MBR.
This variant is encrypted, but the message it contains is not.
PC AT = "heart" symbol
When booting from an infected floppy, there is a 1 in 32 chance that the virus will delete eight sectors on the hard drive.
This variant saves the original MBR of floppies and hard drives at track 0, cylinder 0, sector 9. Sometimes it plays the tune (scale).
There are two subvariants of this variant. They save the MBR of a floppy to sector 3 and on cylinder0, Side 0, Sector 8 or 0/0/7 on the hard drive. Depending on the subvariant, it displays the message:
"Stoned.Sex.a": EXPORT OF SEX REVOLUTION ver. 1.1 "Stoned.Sex.b": EXPORT OF SEX REVOLUTION ver. 2.0
While infecting the hard drive, this virus writes 8 sectors to 1--9 sectors of the hard drive, and as a result, it can erase the system information. It contains a texts:
Spook 1.0 LIM
This variant contains the text string "Swedish Disaster", indicating its possible origin.
When booting from an infected disk, there is a 1 in 8 probability that this variant will display the message:
Repent for ye shall be tormented... Tormentor B - RABID Int'nl Dev. Corp. '91
This variant infects the first boot sector but not MBR of the hard drive. It contains two text strings:
JAM WXYC WXYC rules this roost!
It may display the second string.
On December 4, this virus erases disk sectors. It will also display the message:
Dedicated to ZAPPA...
Zapped displays a message:
It may also erase disk sectors.
These are variants of the Stoned virus that there is either too little information on, or are too similar to the original to warrant any description. Variants that only do one thing or have one feature different from the original or another variant will be listed here with the thing that makes it different in parentheses.
- Aragon (encrypted)
- Cancer (displays message: "This computer is dying of cancer!")
- Donald (displays text: "Donald Duck is a lie!!!")
- Elythnia (1 of 8 probability displays: "Aaronexus of Elythnia!")
- Gozar (decrypts and displays a message on November 11: "Gozar lives !")
- Lavot (decrypts and displays a message: "LAVOT NO ENSE?A"
- Leo (On April 2, displays the message: "Happy birthday to Leo!")
- Leszop (decrypts and displays a message: "leszoptad!" (means "You sucked it" in Hungarian))
- Light (decrypts and displays a message: "(c)Light General THE LAST TEMPTATION")
- Loa (plays a tune)
- Lucky (decrypts and displays a message: "I wish you a lucky")
- March29 (erases disk sectors on March 29)
- Mexican (may display text: "NO VOTES FOR EL PRI".)
- MidNigh (displays message at midnight: "IT'S MID NIGH")
- Mikola (prints "Mikola.b" when booting an infected disk)
- Military (attempts to format the hard drive in November)
- Nichols (periodically displays text "[Nichols] by Apache")
- Satria (displays a picture)
- Scrlock (disables writing to the hard drive if the Scroll key is pressed)
- Scroll (scrolls the screen if Numlock is pressed and Scroll is released)
- TurboManiac (displays on October 19: "The Turbo Maniac was here..")
- YMP (on 1st of every month displays "HAVE A NICE DAY (c)YMP")
Reports of these variants come mostly from an extensive, if poorly sourced, Wikipedia entry, therefore their existence cannot be confirmed. Some of them may simply be a different name for a variant listed above. Others may not exist at all.
- WD1 to WD7
Mike Lawrie. The Text Files, An Explanation of how the Stoned Virus operates.
McAfee Antivirus, Stoned
Symantec Security Response, Stoned.Standard
F-Secure Computer Virus Information Pages, Stoned
Kelly Fiveash. The Register, Vista attacked by 13-year-old virus. 2007.09.17
Computer Incident Advisory Capability, Michelangelo Virus on MS DOS Computers. 1992.02.06
IBM Research. Michelangelo Madness
Vmyths.com Computer Viruses and "False Authority Syndrome": The worldwide Michelangelo virus scare of 1992.
Smart Computing, Self-Replicating Code Viruses: Put Them Under The Microscope. 2003.02
Sunbelt Blog, Update on Stoned virus infection of German notebooks
ComputerHope, Stoned empire monkey virus information.
Online VSUM, Stoned Virus.