Stoned is the name of a boot sector computer virus created in 1987. It is one of the very first viruses and is thought to have been written by a student in Wellington, New Zealand. By 1989 it had spread widely in New Zealand and Australia, and variants became very common worldwide in the early 1990s. A computer infected with the original version had a one in eight probability that the screen would declare: "Your PC is now Stoned!", a phrase found in infected boot sectors of infected floppy disks and master boot records of infected hard disks, along with the phrase "Legalise Marijuana". Later variants produced a range of other messages.
Original version
The original "Your computer is now stoned. Legalise Marijuana" was thought to have been written by a university student in Wellington, New Zealand. This initial version appears to have been written by someone with experience only with IBM PC 360KB floppy drives, as it misbehaves on the IBM AT 1.2MB floppy, or on systems with more than 96 files in the root directory. On higher capacity disks, such as 1.2 MB disks, the original boot sector may overwrite a portion of the directory. On hard disks, the original master boot record is moved to cylinder 0, head 0, sector 7. On floppy disks, the original boot sector is moved to cylinder 0, head 1, sector 3, which is the last directory sector on 360 kB disks. The virus will "safely" overwrite the boot sector if the root directory has no more than 96 files. The PC was typically infected by booting from an infected diskette. Computers, at the time, would default to booting from the A: diskette drive if it had a diskette. The virus was spread when a floppy diskette was accessed with an infected computer. That diskette was now, itself, a source for further spread of the virus. This was much like a recessive gene - difficult to eliminate - because a user could have any number of infected diskettes and yet not have their systems infected with the virus unless they inadvertently boot from an infected diskette. Cleaning the computer without cleaning all diskettes left the user susceptible to a repeat infection. The method also furthered the spread of the virus in that borrowed diskettes, if placed into the system, were now able to carry the virus to a new host.
Variants
The virus image is very easily modified ; in particular a person with no knowledge of programming can alter the message displayed. Many variants of Stoned circulated, some only with different messages.
Manitoba has no activation routine and does not store the original boot sector on floppies; Manitoba simply overwrites the original boot sector. 2.88MB EHD floppies are corrupted by the virus. Manitoba uses 2KB memory while resident.
NoInt, Bloomington, Stoned III
NoInt tries to stop programs from detecting it. This causes read errors if the computer tries to access the partition table. Systems infected with NoInt have a decrease of 2 kB in base memory.
Flame, Stamford
A variant of Stoned was called Flame. The early Flame uses 1 kB of DOS memory. It stores the original boot sector or master boot record at cylinder 25, head 1, sector 1 regardless of the media. Flame saves the current month of the system when it is infected. When the month changes, Flame displays colored flames on the screen and overwrites the master boot record.
Angelina
Angelina has stealth mechanisms. On hard disks, the original master boot record is moved to cylinder 0, head 0, sector 9. Angelina contains the following embedded text, not displayed by the virus: "Greetings from ANGELINA!!!/by Garfield/Zielona Gora".
In October 1995 Angelina was discovered in new factory-sealed Seagate Technology 5850 IDE drives.
In 2007 a batch of Medion laptops sold through the Aldi supermarket chain appeared to be infected with Angelina. A Medion press release explained that the virus was not really present; rather, it was a spurious warning caused by a bug in the pre-installed antivirus software, Bullguard. A patch was released to fix the error. The Bullguard malfunction highlights one of the issues of OEMs pre-installing what Microsoft internally referred to as "craplets" onto Windows PCs to make up for the licensing costs of Windows. A practice widely condemned in the tech media, even from reporters who are usually friendly to Microsoft.
On May 15, 2014, the signature of the Stoned virus was inserted into the bitcoin blockchain. This caused Microsoft Security Essentials to recognize copies of the blockchain as the virus, prompting it to remove the file in question, and subsequently forcing the node to reload the block chain from that point, continuing the cycle. Only the signature of the virus had been inserted into the blockchain; the virus itself was not there, and if it were, it would not be able to function. The situation was averted shortly thereafter, as Microsoft had prevented the blockchain from being recognized as Stoned. Microsoft Security Essentials did not lose the ability to detect a real instance of Stoned.