💾 Archived View for spam.works › mirrors › textfiles › virus › stoned_d.law captured on 2023-06-16 at 21:04:44.
-=-=-=-=-=-=-
An Explanation of how the Stoned Virus operates
Mike Lawrie (rures@hippo.ru.ac.za)
Notation
Cylinders, heads and drives are numbered from zero, sectors are
numbered from one.
1. Characteristics of the Stoned Virus
A PC that is infected with the Stoned virus will occasionally
display, at boot time, the message "Your PC is now Stoned!". This
message will never display if the booting is from the hard disk,
but only from a floppy disk, so you will never be informed that
your hard disk is infected.
Having booted with an infected disk (hard or floppy), subsequent
writes to a floppy in drive A: will cause that floppy to be
infected.
An infected hard-disk will in all likelihood suffer no ill-
effects, but a 360Kb floppy disk that is infected will have
problems if there are many files in the root directory. The last
sector of the directory gets corrupted by the virus.
It is quite safe to put an infected floppy into a PC - it will
not cause any problems. The infection takes place ONLY AT BOOT
TIME, so be careful about how you boot the PC.
If your hard disk is infected, then boot off a disinfected floppy
and clean up your hard disk as soon as possible.
2. Where the virus is stored
The virus is stored in the boot sector of a disk, and the boot
code is stored elsewhere. In the case of a hard disk system, the
'elsewhere' is cylinder 0, sector 7, head 0; in the case of a
floppy, it is cylinder 0, sector 3, head 1.
3. Propogation
The virus loads into memory each time the PC is booted from an
infected disk (hard or floppy). Once it is memory resident (it
grabs 2 Kb of RAM), then each and every time that there is a disk
write, the target disk is checked to see if the virus is
installed. If it is not installed, then it installs itself
immediately and without notification.
4. Confirmation
You can confirm that your disks are free of the virus by looking
at the boot sectors of the disk.
4.1 Floppy
Use debug to read the boot sector, as follows:-
a:> debug
- L 0 0 0 1
- D 180
- Q
If the display produced by the 'd180' shows the text "Your PC is
now Stoned!", then that disk is infected.
4.2 Hard disk
You cannot use debug, because debug reads only relative to the
start of the DOS partition, and you need to read and alter the
boot partition which is an absolute sector. Use a utility that
allows absolute disk reads, such as one of the Norton advanced
utilities. Do a read and display of absolute sector zero of the
hard drive, and look at bytes 0x18a onwards for the text "Your PC
is now Stoned!".
5. How to get rid of the virus
You must clear the virus off ALL disks from which you will boot
your computer. It is quite safe to put an infected disk into the
computer, as long as you do not boot from that disk.
If you accidently boot from an infected disk, then your hard disk
will be infected immediately, and ANY writing that you do to a
floppy disk will cause that disk to be infected. This takes you
back to square one.
5.1 Floppy system
The algorithm for doing this with debug is:-
5.1.1. Read the first few sectors from the disk into RAM
5.1.2. Move the boot code to where it belongs
5.1.3. Zeroise the boot code that is in the wrong position
5.1.4. Write the first few sectors back to the disk
The commands are best put into a .BAT file, and redirection used.
Here are two files that work together. (Blank lines have been
inserted only for clarity - do not put them into the .DAT file).
DESTONE.BAT
debug < destone.dat
DESTONE.DAT
L 0 0 0 10
M DS:1600 17FF DS:0
F DS:1600 17FF 0
W 0 0 0 10
Q
To use this system, BOOT YOUR COMPUTER WITH A DISK THAT IS NOT
INFECTED, then insert an INFECTED disk into drive A:, and type
DESTONE. If you cannot work out which disk to put the DESTONE.?AT
files onto, you should not be attempting this procedure.
NB! This is a potentially dangerous method of using debug. Test
this process VERY CAREFULLY on a test disk that has been
infected.
DO NOT USE THIS PROCESS ON A DISK THAT IS NOT INFECTED!!! YOU
WILL DESTROY THE BOOT SECTOR. (The DOS 'SYS' command will re-
instate it for you).
5.2 Hard disk system
The principle is much the same as for a floppy disk system,
except that there is probably no need to zeroise the boot code
that is stored on cylinder 0, sector 7, head 0.
CAVEAT FOR HARD DISK SYSTEM
If the partition table has been altered subsequent to the time at
which the virus infected the hard disk, then simply moving the
cylinder 0, sector 7, head 0 code into the boot sector will
destroy the hard disk partitions.
The way around this is to compare the bytes from 0x1BE to 0x1FF
in the boot sector (ie the cylinder 0, sector 1, head 0) against
the corresponding bytes in sector 7. If there is a difference,
then copy those values from sector 1 into sector 7 before writing
all of sector 7 to sector 1.
6. How the virus operates
When booting from an infected hard disk, the virus simply becomes
memory resident, as described below. The complexity of the
booting applies only to booting from floppies.
Suppose that a PC is being booted from an infected floppy disk.
The virus executes before the boot process gets going, and writes
itself into a reserved area of memory as well as to the boot
sector of the hard disk - having moved the proper hard disk boot
program to a 'hidden' sector. Any subseqent write to floppy drive
A: will cause the virus to install itself onto the floppy drive
in the floppy boot sector - having likewise moved the proper
floppy disk boot program to a 'hidden' sector (actually, not so
hidden).
The first sector from the disk (ie the BOOT sector, aka cyl 0,
sec 1, hd 0) is read into RAM at 0000:7C00. In this case the
virus code is read in, rather than the boot program, because the
disk is infected.
The code executes to address 00A1, (ie absolute 0000:7CA1), and
does the following:-
copies the INT 13 vector (disk i/o) into the virus code
grabs 2 Kb of RAM from DOS
sets INT 13 to point to code in the virus in the grabbed 2 Kb
moves itself into that 2 Kb, and stays resident
The code is now installed high in RAM, let's call the segment,
say, TOP. Execution continues at TOP:00E4. Nothing has yet
happened about booting DOS, that is still to come when the virus
is good and ready. The code continues:-
reset the disk system
read the boot code from the 'hidden' sector into RAM at
0000:7C00 (if booted from hard disk use cyl 0 sec 7 hd 0,
else use cyl 0 sec 3 hd 1)
if booting from a hard disk, go straight to the boot code in
RAM at 0000:7C00 (clearly, the virus is already installed on
the hard disk)
if the DOS timer low byte equals xxxxx000, show the stoned
message
attempt to read the boot sector from the hard drive into a
buffer
if the read has an error, don't do anything fancy, go straight
to the boot code in RAM at 0000:7C00
if the read is error-free, see if the boot sector has the virus
stored on it.
if the virus is stored on the hard disk, then go to the boot
code in RAM at 0000:7C00
store the virus onto the hard disk by moving the boot code to
cyl 0 sec 7 hd 0, move the partition table to the end of the
virus code, and writing the virus to the boot sector at cyl 0
sec 1 hd 0
go to the boot code in RAM at 0000:7C00
The DOS boot will now proceed normally, but note that the INT 13
vector is pointing to the memory resident virus code. Thus any
later redirecting by other systems (eg DOS itself) will probably
preserve the bad INT 13 (it is not possible to preserve the good
one, the virus gobbled it up *before* the system executed the
boot code). Thus, any subsequent disk requests sent via INT 13
(ie the vast majority of them) will be inspected by the memory
resident virus code.
Let's now look at what the memory resident virus code does to all
INT 13's.
INT 13 points to TOP:0015, where TOP is the segment address of
the memory resident virus. Of course, DOS might have tried to
intercept INT 13 also, so if you look at the INT 13 vector, you
might see it pointing to DOS, and hidden in DOS will be the
vector to TOP:0015.
The memory resident algorithm is as follows:-
trap all INT 13's (ie low level disk accesses)
ignore all but floppy disk write requests on drive a:
if the disk motor is not running, do a normal INT 13
have up to 4 attempts to read the boot sector cyl 0 sec 1 hd 0,
give up if errors occur
if the virus is already installed on the floppy disk, drop
through to a proper INT 13
write the boot sector to the hidden area (cyl 0 sec 3 hd 1 for
floppy)
--
uucp: uunet!m2xenix!puddle!5!494!4!CCML.RURES
Internet: CCML.RURES@f4.n494.z5.fidonet.org