Virus:Boot/Stoned is a simple virus that seems to have been designed to be harmless. Due to a mistake however, it did not quite work out that way. Stone is able to infect the boot sectors of floppy disks. The virus has spawned a large number of variants.
A computer infected with this virus will sometimes display the following message when it starts.
- Your computer is now stoned.
Stoned was one of the most widespread viruses in existence.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
More scanning & removal options
More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
On an infected diskette, the original boot sector is stored on track 0, head 1, sector 3. This is the last sector of the root directory on a 360K diskette, so this will work unless the root directory contains more than 96 files, which is rather unlikely. Overwriting this sector on a 1.2M diskette is, however, much more likely to cause damage.
There are a large number of Stoned variants, many with no significant differences. The most notable are:
- This virus
This variant is one of several politically motivated viruses and contains the message:
- "Bloody! Jun. 4, 1989".
- Swedish Disaster
This virus contains the string "The Swedish Disaster", which may indicate it was written in Sweden.
Closely related to the original Stoned, Manitoba's main difference is that on floppies it doe not store the original boot sector anywhere, just overwrites it. Manitoba allocates two kilos of memory while in resident and corrupts 2.88MB EHD floppies while infecting them. Manitoba has no activation routine. It was probably written in the University of Manitoba.
NoInt was also known as Stoned III. It infects boot sectors on diskettes and Master Boot Records (MBRs) on hard disks. It infects a hard disk only if you try to boot from an infected diskette. The virus will be loaded into memory if the hard disk is infected and the machine is booted from it. Once the virus is in the memory, it will infect all diskettes that are used in the machine, unless the diskettes are write protected. It is sufficient to enter a command like DIR A: to get a diskette infected.
NoInt tries to prevent other programs from detecting it by causing read errors if partition table is tried to access. It does not do anything else visible and it does not contain any texts inside it. It is possible though that it causes damage to directories indirectly. The amount of base memory decreases by 2 kB.
This virus is a standard boot sector infector that will infect the MBR or the boot sector of a floppy. If the computer is booted from an infected floppy, the virus immediately attempts to infect the MBR of the hard disk.
Once Flame is active in memory, any operation on a non-infected floppy will result in infection. Virus reserves 1KB of DOS memory. The virus stores the original boot sector or MBR at cylinder 25, sector 1, head 1 regardless of what media is infected.
Flame saves the current month when it infects a system. When the month changes, it activates by displaying coloured flames on screen and overwriting the MBR.
This Stoned variant has stealth-mechanisms. It is probably made in Poland and contains the following texts:
- Greetings for ANGELINA!!!/by Garfield/Zielona Gora
Zielona Gora is a town in Poland. In October 1995, Angelina was found on new Seagate 5850 (850MB) IDE drives which were still factory sealed.