ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ VIRUS REPORT ³ ³ New Zealand Virus ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Synonyms: Stoned Virus, Australian Virus, Hawaii, Marijuana, San Diego virus, Smithsonian virus. Date of Origin: early 1988. Place of Origin: Wellington, New Zealand. Host Machine: PC compatibles. Host Files: Remains resident. Infects boot sector of 360K floppy disk. OnScreen Symptoms: The screen will sometimes display "Your PC is now stoned!" Increase in Size of Infected Files: n/a. Nature of Damage: Affects system run-time operation. Corrupts or overwrites boot sector. Directly or indirectly corrupts file linkage. Detected by: Scanv56+, CleanUp, F-Prot, IBM Scan, Pro-Scan. Removed by: CleanUp, MDisk, F-Prot. Scan Code: 1E 50 80 FC 02 72 17 80 FC 04 73 12 0A D2 75 0E 33 C0 8E D8 A0 3F 04 A8 01 75 03 E8 07 00. You can also search at offset 045H for B8 01 02 0E 07 BB 00 02 B9 01. History: This virus was first reported in Wellington, New Zealand in early 1988. Description of Operation: This virus consists of a boot sector only. It infects any disk inserted in a drive after it becomes activated during a boot, and it occupies 1K of memory. The original boot sector is held in track zero, head one, sector three on a floppy disk, and track zero, head zero, sector two on a hard disk. The boot sector contains two character strings: "Your PC is now Stoned!" and "LEGALISE MARIJUANA!". The first of these messages is only displayed one in eight times when booting from an infected floppy, the second is unreferenced. In some variations, the message is displayed on every 32nd boot. In the original version of this virus, only 360 KB 5 1/4" floppies were infected. While the original version was unable to infect a hard disk, other versions (such as New Zealand B) are capable of doing so. The virus can (unintentionally) trash 1.2 Mb floppies if they have more than 32 files, and trashes about 5% of hard disks. Removal: The Stoned virus can be removed from 360KB diskettes by using either the MDisk, CleanUp, or F-Prot programs. It can also be removed from diskettes by using the DOS SYS command. Be sure to power down your system and reboot from a clean, write-protected floppy prior to attempting disinfection. ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º This document was adapted from the book "Computer Viruses", º º which is copyright and distributed by the National Computer º º Security Association. It contains information compiled from º º many sources. To the best of our knowledge, all information º º presented here is accurate. º º º º Please send any updates or corrections to the NCSA, Suite 309, º º 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS º º and upload the information: (202) 364-1304. Or call us voice at º º (202) 364-8252. This version was produced May 22, 1990. º º º º The NCSA is a non-profit organization dedicated to improving º º computer security. Membership in the association is just $45 per º º year. Copies of the book "Computer Viruses", which provides º º detailed information on over 145 viruses, can be obtained from º º the NCSA. Member price: $44; non-member price: $55. º º º º The document is copyright (c) 1990 NCSA. º º º º This document may be distributed in any format, providing º º this message is not removed or altered. º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ  Downloaded From P-80 International Information Systems 304-744-2253