An Explanation of how the Stoned Virus operates Mike Lawrie (rures@hippo.ru.ac.za) Notation Cylinders, heads and drives are numbered from zero, sectors are numbered from one. 1. Characteristics of the Stoned Virus A PC that is infected with the Stoned virus will occasionally display, at boot time, the message "Your PC is now Stoned!". This message will never display if the booting is from the hard disk, but only from a floppy disk, so you will never be informed that your hard disk is infected. Having booted with an infected disk (hard or floppy), subsequent writes to a floppy in drive A: will cause that floppy to be infected. An infected hard-disk will in all likelihood suffer no ill- effects, but a 360Kb floppy disk that is infected will have problems if there are many files in the root directory. The last sector of the directory gets corrupted by the virus. It is quite safe to put an infected floppy into a PC - it will not cause any problems. The infection takes place ONLY AT BOOT TIME, so be careful about how you boot the PC. If your hard disk is infected, then boot off a disinfected floppy and clean up your hard disk as soon as possible. 2. Where the virus is stored The virus is stored in the boot sector of a disk, and the boot code is stored elsewhere. In the case of a hard disk system, the 'elsewhere' is cylinder 0, sector 7, head 0; in the case of a floppy, it is cylinder 0, sector 3, head 1. 3. Propogation The virus loads into memory each time the PC is booted from an infected disk (hard or floppy). Once it is memory resident (it grabs 2 Kb of RAM), then each and every time that there is a disk write, the target disk is checked to see if the virus is installed. If it is not installed, then it installs itself immediately and without notification. 4. Confirmation You can confirm that your disks are free of the virus by looking at the boot sectors of the disk. 4.1 Floppy Use debug to read the boot sector, as follows:- a:> debug - L 0 0 0 1 - D 180 - Q If the display produced by the 'd180' shows the text "Your PC is now Stoned!", then that disk is infected. 4.2 Hard disk You cannot use debug, because debug reads only relative to the start of the DOS partition, and you need to read and alter the boot partition which is an absolute sector. Use a utility that allows absolute disk reads, such as one of the Norton advanced utilities. Do a read and display of absolute sector zero of the hard drive, and look at bytes 0x18a onwards for the text "Your PC is now Stoned!". 5. How to get rid of the virus You must clear the virus off ALL disks from which you will boot your computer. It is quite safe to put an infected disk into the computer, as long as you do not boot from that disk. If you accidently boot from an infected disk, then your hard disk will be infected immediately, and ANY writing that you do to a floppy disk will cause that disk to be infected. This takes you back to square one. 5.1 Floppy system The algorithm for doing this with debug is:- 5.1.1. Read the first few sectors from the disk into RAM 5.1.2. Move the boot code to where it belongs 5.1.3. Zeroise the boot code that is in the wrong position 5.1.4. Write the first few sectors back to the disk The commands are best put into a .BAT file, and redirection used. Here are two files that work together. (Blank lines have been inserted only for clarity - do not put them into the .DAT file). DESTONE.BAT debug < destone.dat DESTONE.DAT L 0 0 0 10 M DS:1600 17FF DS:0 F DS:1600 17FF 0 W 0 0 0 10 Q To use this system, BOOT YOUR COMPUTER WITH A DISK THAT IS NOT INFECTED, then insert an INFECTED disk into drive A:, and type DESTONE. If you cannot work out which disk to put the DESTONE.?AT files onto, you should not be attempting this procedure. NB! This is a potentially dangerous method of using debug. Test this process VERY CAREFULLY on a test disk that has been infected. DO NOT USE THIS PROCESS ON A DISK THAT IS NOT INFECTED!!! YOU WILL DESTROY THE BOOT SECTOR. (The DOS 'SYS' command will re- instate it for you). 5.2 Hard disk system The principle is much the same as for a floppy disk system, except that there is probably no need to zeroise the boot code that is stored on cylinder 0, sector 7, head 0. CAVEAT FOR HARD DISK SYSTEM If the partition table has been altered subsequent to the time at which the virus infected the hard disk, then simply moving the cylinder 0, sector 7, head 0 code into the boot sector will destroy the hard disk partitions. The way around this is to compare the bytes from 0x1BE to 0x1FF in the boot sector (ie the cylinder 0, sector 1, head 0) against the corresponding bytes in sector 7. If there is a difference, then copy those values from sector 1 into sector 7 before writing all of sector 7 to sector 1. 6. How the virus operates When booting from an infected hard disk, the virus simply becomes memory resident, as described below. The complexity of the booting applies only to booting from floppies. Suppose that a PC is being booted from an infected floppy disk. The virus executes before the boot process gets going, and writes itself into a reserved area of memory as well as to the boot sector of the hard disk - having moved the proper hard disk boot program to a 'hidden' sector. Any subseqent write to floppy drive A: will cause the virus to install itself onto the floppy drive in the floppy boot sector - having likewise moved the proper floppy disk boot program to a 'hidden' sector (actually, not so hidden). The first sector from the disk (ie the BOOT sector, aka cyl 0, sec 1, hd 0) is read into RAM at 0000:7C00. In this case the virus code is read in, rather than the boot program, because the disk is infected. The code executes to address 00A1, (ie absolute 0000:7CA1), and does the following:- copies the INT 13 vector (disk i/o) into the virus code grabs 2 Kb of RAM from DOS sets INT 13 to point to code in the virus in the grabbed 2 Kb moves itself into that 2 Kb, and stays resident The code is now installed high in RAM, let's call the segment, say, TOP. Execution continues at TOP:00E4. Nothing has yet happened about booting DOS, that is still to come when the virus is good and ready. The code continues:- reset the disk system read the boot code from the 'hidden' sector into RAM at 0000:7C00 (if booted from hard disk use cyl 0 sec 7 hd 0, else use cyl 0 sec 3 hd 1) if booting from a hard disk, go straight to the boot code in RAM at 0000:7C00 (clearly, the virus is already installed on the hard disk) if the DOS timer low byte equals xxxxx000, show the stoned message attempt to read the boot sector from the hard drive into a buffer if the read has an error, don't do anything fancy, go straight to the boot code in RAM at 0000:7C00 if the read is error-free, see if the boot sector has the virus stored on it. if the virus is stored on the hard disk, then go to the boot code in RAM at 0000:7C00 store the virus onto the hard disk by moving the boot code to cyl 0 sec 7 hd 0, move the partition table to the end of the virus code, and writing the virus to the boot sector at cyl 0 sec 1 hd 0 go to the boot code in RAM at 0000:7C00 The DOS boot will now proceed normally, but note that the INT 13 vector is pointing to the memory resident virus code. Thus any later redirecting by other systems (eg DOS itself) will probably preserve the bad INT 13 (it is not possible to preserve the good one, the virus gobbled it up *before* the system executed the boot code). Thus, any subsequent disk requests sent via INT 13 (ie the vast majority of them) will be inspected by the memory resident virus code. Let's now look at what the memory resident virus code does to all INT 13's. INT 13 points to TOP:0015, where TOP is the segment address of the memory resident virus. Of course, DOS might have tried to intercept INT 13 also, so if you look at the INT 13 vector, you might see it pointing to DOS, and hidden in DOS will be the vector to TOP:0015. The memory resident algorithm is as follows:- trap all INT 13's (ie low level disk accesses) ignore all but floppy disk write requests on drive a: if the disk motor is not running, do a normal INT 13 have up to 4 attempts to read the boot sector cyl 0 sec 1 hd 0, give up if errors occur if the virus is already installed on the floppy disk, drop through to a proper INT 13 write the boot sector to the hidden area (cyl 0 sec 3 hd 1 for floppy) -- uucp: uunet!m2xenix!puddle!5!494!4!CCML.RURES Internet: CCML.RURES@f4.n494.z5.fidonet.org