|   | CIAC Advisory number A- 28NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
 ________________________________________________________________________
 THE COMPUTER INCIDENT ADVISORY CAPABILITY
 
 CIAC
 
 INFORMATION BULLETIN
 ________________________________________________________________________
 
 The Stoned (Marijuana or New Zealand) Virus on MS DOS Computers
 
 July 12, 1990, 1200 PST	                                     Number A-28
 ________________________________________________________________________
 
 Name: Stoned virus (also known as the Marijuana or New Zealand virus)
 Types: At least four known variants
 Platform: MS DOS computers
 Damage: Not deliberately destructive--however, this virus overwrites
 some of boot sector/master boot record on infected disks (see text)
 Symptoms: May write "Your computer is now stoned.  Legalize marijuana"
 or similar message on screen (one variant has this message removed);
 may create hard disk errors or the inability to boot
 Detection:  VIRALERT, VIRHUNT, RESSCAN, CodeSafe, F-PROT, IBM Scan
 Eradication: VIRHUNT, RESSCAN, CodeSafe, CleanUp, F-PROT and others
 (contact CIAC for information about these products)
 
 Critical Stoned Virus Facts
 _______________________________________________________________________
 
 The Stoned (Marijuana or New Zealand) virus is now one of the most
 common viruses among MS-DOS systems.  The Stoned virus infects the boot
 sector/master boot record of floppy and hard disks.   Once resident in
 memory, this virus may display a message similar to the following:
 
 Your computer is now stoned.  Legalize marijuana.
 
 Although the Stoned virus apparently was not programmed to do damage,
 this virus can nevertheless damage a system.  The Stoned virus may
 overwrite parts of infected disks that contain directory information or
 portions of user data files, specifically the boot sector of floppy
 disks along with Head 0, Track 0, Sector 3 on a diskette or the master
 boot record and Head 0, Track 0, Sector 7 on hard disks.  If hard disks
 have last been partitioned under DOS 2, this virus overwrites portions
 of the File Allocation Table (FAT) as well.  The result is overwriting
 of data files and indications of disk errors by CHKDSK.  Variants of
 the Stoned virus produce slightly different effects:
 
 Stoned-B:  infection of the hard disk's partition table,
 Stoned-C:  no displayed message
 Stoned-D:  infection of high density diskettes
 
 You can detect the Stoned virus with a variety of scan packages such as
 VIRALERT, VIRHUNT, RESSCAN, CodeSafe, F-PROT, IBM Scan.   You can
 eradicate this virus by using packages such as VIRHUNT, RESSCAN,
 CodeSafe, CleanUp, F-PROT.  If you cannot obtain a virus removal
 utility, we suggest you back up your applications and data from your
 hard disk, and then low-level format the disk to ensure that the master
 boot record is removed.  Boot from a clean, writeprotected operating
 system disk, restore your system, and then restore the application and
 data files.
 
 After you have cleaned your system, either with an eradication product
 or by formating the drive, scan again using a virus detection utility
 to ensure that the virus is not present.  To ensure that your system
 does not immediately become re-infected, be sure to scan all of floppy
 disks for the virus as well.  To clean floppies you may use one of the
 suggested products, or you may format new floppies on a clean system,
 then use the "copy" command to copy files from the infected floppies to
 the clean ones.  Format the infected floppies to reuse them.
 
 The Stoned virus typically spreads wherever floppy disks are shared.
 Infections can be easily prevented by adopting sound protection
 procedures.  The Stoned virus infects hard disks when a PC is booted
 from an infected floppy.  This virus does not infect applications,
 however.  If you must boot from a floppy disk, ensure with a virus scan
 package that this disk is not infected, and write-protect this disk.
 This will prevent your boot disk from becoming infected.  (Warning:
 under some circumstances the Stoned-infected floppy disk can infect a
 machine even if the computer does not have a bootable operating system
 on it.)
 
 Additional Note:  Basic information about the Stoned virus has been
 available through the CIAC Bulletin Board (FELIX) and CIAC Bulletin
 A-15 since the beginning of this year.
 
 For additional information or assistance, please contact CIAC:
 
 David S. Brown
 (415) 423-9878 or (FTS) 543-9878
 FAX:  (415) 423-0913, (FTS) 543-0913 or (415) 422-4294
 
 Send e-mail to:
 
 [email protected]
 
 The assistance of Ken Van Wyk and Dave Chess is gratefully
 acknowledged.  Neither the United States Government nor the University
 of California nor any of their employees, makes any warranty,
 expressed or implied, or assumes any legal liability or responsibility
 for the accuracy, completeness, or usefulness of any information,
 product, or process disclosed, or represents that its use would not
 infringe privately owned rights.  Reference herein to any specific
 commercial products, process, or service by trade name, trademark
 manufacturer, or otherwise, does not necessarily constitute or imply
 its endorsement, recommendation, or favoring by the United States
 Government or the University of California.  The views and opinions of
 authors expressed herein do not necessarily state or reflect those of
 the United States Government nor the University of California, and
 shall not be used for advertising or product endorsement purposes.
 
 |   |