Stoned is a boot sector

computer virus A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a compu ...

created in 1987. It is one of the first viruses and is thought to have been written by a student in Wellington, New Zealand. By 1989 it had spread widely in New Zealand and Australia, and variants became very common worldwide in the early 1990s. A computer infected with the original version had a one in eight probability that the screen would declare: ''"Your PC is now Stoned!"'', a phrase found in infected boot sectors of infected

floppy disks A floppy disk or floppy diskette (casually referred to as a floppy, or a diskette) is an obsolescent type of disk storage composed of a thin and flexible disk of a magnetic storage medium in a square or nearly square plastic enclosure lined w ...

and

master boot record A master boot record (MBR) is a special type of boot sector at the very beginning of partitioned computer mass storage devices like fixed disks or removable drives intended for use with IBM PC-compatible systems and beyond. The concept of MBR ...

s of infected

hard disks A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magneti ...

, along with the phrase ''"Legalise

Marijuana Cannabis, also known as marijuana among other names, is a psychoactive drug from the cannabis plant. Native to Central or South Asia, the cannabis plant has been used as a drug for both recreational and entheogenic purposes and in various tra ...

"''. Later variants produced a range of other messages.

Original version

The original "Your PC is now stoned. Legalise Marijuana" was thought to have been written by a student in

Wellington Wellington ( mi, Te Whanganui-a-Tara or ) is the capital city of New Zealand. It is located at the south-western tip of the North Island, between Cook Strait and the Remutaka Range. Wellington is the second-largest city in New Zealand by me ...

, New Zealand. This initial version appears to have been written by someone with experience only with

IBM PC The IBM Personal Computer (model 5150, commonly known as the IBM PC) is the first microcomputer released in the IBM PC model line and the basis for the IBM PC compatible de facto standard. Released on August 12, 1981, it was created by a team ...

360KB floppy drives, as it misbehaves on the

IBM AT The IBM Personal Computer/AT (model 5170, abbreviated as IBM AT or PC/AT) was released in 1984 as the fourth model in the IBM Personal Computer line, following the IBM PC/XT and its IBM Portable PC variant. It was designed around the Intel 8028 ...

1.2MB floppy, or on systems with more than 96 files in the root directory. On higher capacity disks, such as 1.2 MB disks, the original boot sector may overwrite a portion of the directory. The message displays if the boot time was exactly divisible by 8. On many

IBM PC clone IBM PC compatible computers are similar to the original IBM PC, XT, and AT, all from computer giant IBM, that are able to use the same software and expansion cards. Such computers were referred to as PC clones, IBM clones or IBM PC clones. ...

s at the time, boot times could vary, so the message would display randomly (1 time in 8). On some

IBM PC compatible IBM PC compatible computers are similar to the original IBM PC, XT, and AT, all from computer giant IBM, that are able to use the same software and expansion cards. Such computers were referred to as PC clones, IBM clones or IBM PC clones. ...

machines or on original

computers, the boot time was constant, so an infected computer would either never display the message or always display the message. An infected computer with a 360K disk and a 20MB or less hard disk, which never displayed the message was one of the first examples of an asymptomatic virus carrier, which would work with no impediment to its function, but which would infect any disks inserted into it. On hard disks, the original

is moved to cylinder 0, head 0, sector 7. On

floppy disk A floppy disk or floppy diskette (casually referred to as a floppy, or a diskette) is an obsolescent type of disk storage composed of a thin and flexible disk of a magnetic storage medium in a square or nearly square plastic enclosure lined w ...

s, the original boot sector is moved to cylinder 0, head 1, sector 3, which is the last directory sector on 360 kB disks. The virus will "safely" overwrite the boot sector if the root directory has no more than 96 files. The PC was typically infected by booting from an infected diskette. Computers, at the time, would default to booting from the A: diskette drive if it had a diskette. The virus was spread when a floppy diskette was accessed with an infected computer. That diskette was now, itself, a source for further spread of the virus. This was much like a

recessive gene In genetics, dominance is the phenomenon of one variant (allele) of a gene on a chromosome masking or overriding the effect of a different variant of the same gene on the other copy of the chromosome. The first variant is termed dominant and t ...

- difficult to eliminate - because a user could have any number of infected diskettes and yet not have their systems infected with the virus unless they inadvertently boot from an infected diskette. Cleaning the computer without cleaning all diskettes left the user susceptible to a repeat infection. The method also furthered the spread of the virus in that borrowed diskettes, if placed into the system, were now able to carry the virus to a new host.

Variants

The virus image is very easily modified (patched); in particular a person with no knowledge of programming can alter the message displayed. Many variants of Stoned circulated, some only with different messages.

Beijing, Bloody!

The virus has the string "Bloody! Jun. 4, 1989". On this date, the

Tiananmen Square protests The Tiananmen Square protests, known in Chinese as the June Fourth Incident (), were student-led demonstrations held in Tiananmen Square, Beijing during 1989. In what is known as the Tiananmen Square Massacre, or in Chinese the June Fourth ...

were suppressed by the

People's Republic of China China, officially the People's Republic of China (PRC), is a country in East Asia. It is the world's most populous country, with a population exceeding 1.4 billion, slightly ahead of India. China spans the equivalent of five time zones and ...

Swedish Disaster

The virus has the string "The Swedish Disaster".

Manitoba

Manitoba has no activation routine and does not store the original boot sector on floppies; Manitoba simply overwrites the original boot sector. 2.88MB EHD floppies are corrupted by the virus. Manitoba uses 2KB memory while resident.

NoInt, Bloomington, Stoned III

NoInt tries to stop programs from detecting it. This causes read errors if the computer tries to access the partition table. Systems infected with NoInt have a decrease of 2 kB in base memory.

Flame, Stamford

A variant of Stoned was called Flame (later unrelated sophisticated malware was given the same name). The early Flame uses 1 kB of DOS memory. It stores the original boot sector or master boot record at cylinder 25, head 1, sector 1 regardless of the media. Flame saves the current month of the system when it is infected. When the month changes, Flame displays colored flames on the screen and overwrites the master boot record.

Angelina

Angelina has stealth mechanisms. On hard disks, the original master boot record is moved to cylinder 0, head 0, sector 9. Angelina contains the following embedded text, not displayed by the virus: "Greetings from ANGELINA!!!/by Garfield/Zielona Gora" (

Zielona Góra Zielona Góra is the largest city in Lubusz Voivodeship, located in western Poland, with 140,403 inhabitants (2021). Zielona Góra has a favourable geographical position, being close to the Polish-German border and on several international road ...

is a town in Poland). * In October 1995 Angelina was discovered in new factory-sealed

Seagate Technology Seagate Technology Holdings plc is an American data storage company. It was incorporated in 1978 as Shugart Technology and commenced business in 1979. Since 2010, the company has been incorporated in Dublin, Ireland, with operational headquart ...

5850 (850MB) IDE drives. * In 2007 a batch of

Medion Medion AG is a German consumer electronics company, and a subsidiary of Chinese multinational technology company Lenovo. The company operates in Europe, Turkey, Asia-Pacific, United States and Australia regions. The company's main products are c ...

laptops sold through the

Aldi Aldi (stylised as ALDI) is the common company brand name of two German multinational family-owned discount supermarket chains operating over 10,000 stores in 20 countries. The chain was founded by brothers Karl and Theo Albrecht in 1946, when t ...

supermarket chain appeared to be infected with Angelina. A Medion press release explained that the virus was not really present; rather, it was a spurious warning caused by a bug in the pre-installed

antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the nam ...

, Bullguard. A patch was released to fix the error. The Bullguard malfunction highlights one of the issues (along with loss of performance and frustrating pop-ups asking the user for money) of OEMs pre-installing what Microsoft internally referred to as "craplets" onto Windows PCs to make up for the licensing costs of Windows. A practice widely condemned in the tech media, even from reporters who are usually friendly to Microsoft.

Bitcoin blockchain incident

On 15 May 2014, the signature of the Stoned virus was inserted into the

bitcoin Bitcoin ( abbreviation: BTC; sign: ₿) is a decentralized digital currency that can be transferred on the peer-to-peer bitcoin network. Bitcoin transactions are verified by network nodes through cryptography and recorded in a public distr ...

blockchain A blockchain is a type of distributed ledger technology (DLT) that consists of growing lists of records, called ''blocks'', that are securely linked together using cryptography. Each block contains a cryptographic hash of the previous block, a ...

. This caused

Microsoft Security Essentials Microsoft Security Essentials (MSE) is an antivirus software (AV) product that provides protection against different types of malicious software, such as computer viruses, spyware, rootkits, and Trojan horses. Prior to version 4.5, MSE ran on , ...

to recognize copies of the blockchain as the virus, prompting it to remove the file in question, and subsequently forcing the node to reload the block chain from that point, continuing the cycle. Only the signature of the virus had been inserted into the blockchain; the virus itself was not there, and if it were, it would not be able to function. The situation was averted shortly thereafter, when

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...

prevented the blockchain from being recognized as Stoned.

did not lose the ability to detect a real instance of Stoned.

References

{{DEFAULTSORT:Stoned (Computer Virus) Boot viruses Hacking in the 1980s