A closer look at the Stoned Virus on my XT machine (Part 2/3)

Efficient! Doing a disk image to preserve the infected disk contents! :-)

I got it from a bootleg copy of civilization.

1990 would have been really early for a 486, I know my dad got a 286 in 1991.

Maybe you got one of the first 486 like the 16 mgz (20?) version but i remember I had the oppoturnity to buy a Amd 386 Dx-40 in 1992 so this might be on the same timeline

@@rogerwilco2 My friend had a 486 in 1990 or 91, but I didn't get my first PC; a 286, until a few years later. My 286 was second-hand; the seller was upgrading straight to a Pentum. In those days, people upgraded whenever they wanted. It was nice for consumers (particularly given the expense of hardware), but perhaps not so much for developers. :) Edit: Now I think about it, it meant a developer could make a living with DOS knowledge alone all the way from 1982 to late in the 90s, or even all through the 00s and into the 10s in the industrial and embedded fields. I think there might still be DOS-powered industrial systems.

I recall the days of fdisk. That was interesting.

What would happen if you installed several boot viruses on one disk?

@@kirill9064 It boots the first one I'd suppose.

@@TheCrystalGlow Same here. I didn't had an internet connection back then so I learned hella much stuff about computers just by trial and error. :)

I want to upvote your comment but I didn't want to be person #70 ;)

My entire programming class in high school got infected with this virus around 91-92.

the virus defeated write protection or someone moved the tab ?

Damn. That’s really fascinating. Did you work worldwide ?

@@highpath4776 Yeah, they moved the tab. You just cant teach some people.

@@Kubulek17 I filled up 2 passports doing installs, training, and service. The Gambia was an odd one, one paved road, vacation spot for French tourists, lots of army checkpoints on that lone paved road.

As an IT guy now this is a fascinating story. Nice to hear from someone doing IT back when I was a little boy and internationally at that.

Yeah saw that one too ... I'm not really familiar with assembly language. Perhaps I should take it up as a hobby (being a developer in real-life).

There are games fitted into 64 to 256 bytes

@@RetroSpector78 Superoptimizing assembly is interesting, you start learning lots of weird tricks to reuse the same chunk of code different ways - have multiple entry points to a function, overlap the first instruction of a routine with some data that just happens to match, sometimes you can even overlap two pieces of code that do different things depending on the reading frame. For example you can abuse a "load register with immediate data" type instruction as a one byte jump over a two byte instruction that forms the first instruction of an alternate entry point to the next part of code, etc.
If you have enough code space that you can use a decompressor, then you might start trying to organize assembly sequences so that they compress better. Sometimes adding unneeded code makes it smaller compressed if it makes it match other code better. Lots of work to shave off a byte or two at a time but it can lead to some impressive results. I made a semi-minimalist BIOS implementation for the Sanyo MBC-55x (hardware summary screen, basic video support on the proprietary graphics, CGA text mode initialization if present, keyboard, floppy disk, custom AES disk encryption with an invisible menu to set the crypto keys) and it's less than 4KB compressed and contains a FreeDOS boot sector. On a double sided disk, it doesn't even need to leave track 0 to get the BIOS loaded.
The biggest shrinks were using UPX as a packer, having the code generate the AES lookup tables at boot, and then the collective effort of trickery reorganizing the code and in probably the coolest optimization, I was able to merge two of the AES subroutines into one by making the x86 direction flag effectively change some byte rotation directions and reuse one stretch of code for two behaviors depending on the direction flag. It's like one of those optimizations that should just never happen but on a hunch I worked through what the backwards direction flag would do and only had to make minor changes to make it do the right thing.

@@big0bad0brad Fascinating stuff, do you have a writeup of it (or other cool projects) anywhere?

@@RetroSpector78 good buddy of mine taught himself Assembly Language in the early 80s on a TRS 80 (TRS DOS). We are both in our 60s. He’s turned his understanding if AL into a life long job. High level IT work.

We still refer to sectors on solid state drives because the flash memory used is designed that way. Typical flash memory will be organized as 4KB sectors of data and 64KB or larger banks. When reading from the flash memory you can access any address directly. But, when writing, you must write to a 4096 byte boundary, and you must write all 4096 bytes to the memory. This is because flash memory must be erased prior to writing, and forcing an erase procedure to erase 4KB at a time saves a tremendous amount of silicon real estate that allows a single chip to hold 256GB, or more, data. (In almost all types of flash memory when data is erased all bits are set to 1. Writing a 1 bit does nothing, but writing a 0 (zero) bit flips the bit from 1 to 0.) The larger banks of 64KB or more are provided to allow erasing more data in a single operation since erasing is time consuming, and this allows much higher effective write speeds.
This architecture allows for significantly more data storage in flash-type solid state memories. (As opposed to EEPROM memories where individual bytes can be erased and written, but are still limited to very low capacities like 32KB.)
Note that the most modern solid state storage devices (NVME drives) have their contents mapped directly into the normal address space of the CPU. This allow for more efficient storage memory access, but the same "sector" boundary rules apply.
One final thing: LBA (logical block addressing) eliminated the use of the cylinder/head/sector method of indexing data on all disk drives at the end of the 90's. Before that, if you were working with a solid state disk drive you were most likely working in an enterprise level data center.
Anyway, I hope this helps to clarify why the sector terminology is still used, and that this wasn't wasn't too long winded and boring. :)

The CHS nomenclature was a lie from early in the DOS days. I have a 386SX with a 119MB Seagate HDD that has “14” heads. Sure it does. 🙄 The smallest IDE drive I have is 85MB. It has “4” heads. That may or may not be real.
CHS was obsolete before DOS 5.0, and stuck around as the sole addressing scheme (without overlays and disregarding SCSI) until DOS 6 - well past its sell-by date.

You also have to know that until early 90s all hard drives reported in MiBs or KiBs. A KiB is 1240Bs vs modern 1024B. This eben carried over to Optical drives. If you look at CDs they are 750MiBs. If you do the conversion Mhz, channel, and bit of music it does not equal 750MB. The reason CDs opted for MiBs vs MB was dats had to do less scaling. Also UEFI with Secure Boot and GPT no longet keeps the MBR on the start of the hard drive or SSD. Instead the MBR fils has pieces in UEFI, MBR area, and root of the GPT partition. If you add optane the MBR partion record is spread across 4 places. Though with secure boot a key on the drive mirrors the secure boot. The table sets on drive MBR. and root of GPT

@@thepoliticalstartrek You got something wrong. A Kibibyte (KiB) is 1024 byte and 1 Mebibyte (MiB) = 1024 × 1024 Byte = 1.048.576 Byte. These are the binary- or IEC-Prefixes based on 2^x. The SI-Prefixes, kilo=1000, mega=1000000, etc. in kB or MB are based on the decimal 10^x system. I know you US guys have some problems with that ... but you have obviously the Internet and Wikipedia(please not the English one, they got it wrong, too:) ), don't you?:)
The official standard for CDs is 650MB, although you can get them in capacities from 650 to 900 MB (12 cm) or in smaller 8cm with 194MB versions. The size specification for CD is (650 × 2^20) which is MiB ... and so MB is not correct and misleading. The correct value would be ≈ 682MB for the standardized 650"MB" CD. Maybe there is your "750MB" value from: For audio our candidate can hold 74min of audio with the different format that equals to ≈ 747MiB(near your value but wrong unit, Edit: Excuse me, that is the one case you got it right ... to 3MiB accurate) = 783MB. That is because audio uses 2352 Byte/Sector and data storage allows 2048 Byte/Sector.
Nobody has a clue, not even the manufacturers ... at least till they found out how to make the best profit:)
Besides all that hard to follow stuff, one cannot make up prefixes and numbers to their liking. There is a standard! Otherwise I'm just going to buy GOLD from these guys. 650 kilos bought and 682 got in reality? Who else wants to join?:)))

@@dieSpinnt I saw 750GiB CD-R(W?) in use in the 90s. I think you're correct about the original specification, but they evidently figured out how to cram in an extra 100MiB all the way back then, and there must be a 750MiB standard or the disks wouldn't be useful.
"A little knowledge is a dangerous thing," goes the old saying. Well, a little knowledge about standards is an irritating thing. ;)

Yeah had to find an old version to be able to install it on windows XP on my old Athlon ... always a bit tricky finding old versions if virus scanners on dodgy sites :)

Love the pointless little goblin that appears 😂

lightweigh and effective...used it a lot when i worked at a store repairing computers around 15 years ago

@@MrHBSoftware
And I used the old AVG on Windows XP and Vista, before switching to different versions of Windows Security over the years. Until a few years ago, I didn't know AVG got acquired and became awful and/or annoying.

Glad you enjoyed it!

Thx .... I have to say it has given me a cold :) Hope I'll get better soon ...

Or what if real data gets written into that sector? That would stop the machine from booting off the disk. Unless the virus marks the sector as used in the FAT (and I don't know if it does or not) this could easily happen.

@@eDoc2020 You can still restore a boot. It's not a big deal and you will pile up some tools. The real problem is some rare data getting lost.

In the MS-DOS 360KB format, the disc starts with one boot sector, two copies of the FAT, 2 sectors each, followed by the root directory, having 112 entries. As a FAT directory entry occupies 32 bytes, you can fit 16 entries into a sector, which makes the root directory occupy 7 sectors. As Adrian started counting sectors at 0, sector 11 is actually the 12th sector on the disk. The boot sector and the FAT occupy 5 sectors in total, the 12th sector is the 7th sector of the root directory - which is the *last* of the seven sectors.
For performance reasons, DOS does not scan the whole root directory, but ignores everything after the first "empty" directory entry. An empty directory entry is defined by its first byte being 00 instead of the first byte of a name. So as long as the first 6 directory sectors are not completely filled with directory entries, DOS will see an empty entry terminating the root directory (not unlike a NUL character terminating a C string), and ignore sector 11. 6 sectors can store 96 directory entries. As there must be a terminator entry, too, you can store 95 files on a stoned-infected 360KB floppy disk before running into conflicts on sector 11. After storing the 96th file, DOS will start seeing the original boot sector at location 11 as part of the root directory, which will show up as corrupted additional entries in the directory. If you run chkdsk to fix that mess, chkdsk will erase all the invalid directory entries, corrupting the original boot sector and making the disk unusable unless you re-write a proper boot sector to it, e.g. by reformatting it.

That is the biggest issue! It ruined so many of my legitimate floppies because of over written sector 11. And if you try to reformat and load an image to the floopy on a clean machine you infect that machine, and vice versa. You can't win with this viris, it is the worst virus ever, it is only harmless on bkank media or anything that has not written to sector 11. There is no way to fix it other than to stop using all of your floppies, re-format your HDD, and start all over with fresh floppies. Antivirus can usually always detect it but that is all it can do- setect it. Not clean ram, HDD, or Floppy. I remember I finally was all in order... and then I forgot about my school 3.5 floopy with MS Works documents and it started all over again. And because of that the schools computer had it and I either couldn't edit at home or had to just accept stoned.ini... which I did until I got my socket 7 (CDRW DLA & Direct CD ect.) and the school upgraded their computers. This video gives me PTSD because I remember how much I hated that virus back in the day.

Glad it was helpful!

Always reset the computer when changing floppy disks... which is no use when you have a hard disk inside.

I was very confused by the Ghost virus on my Atari ST. I have no idea why I didn't realise it was a virus. It reversed the Y axis of the mouse, and just when you'd gotten used to it, it would reverse it back!

Just wanted to structure the video a bit ... got lots of ideas in my head on visuals / animations and how I would like a video to look but don't have the skills to do it :)

ruclips.net/video/AZYVzIhgwpU/видео.html

Yes, that’s correct, if you write-protect it like that the virus cannot infect it. I always pulled up the write-protect notch on my 3.5” floppies when sharing them with friends to not get them back infected.

One virus writer famously claimed his virus could write "through" write-protection, but I don't know if anyone ever really believed it. :) I'd need to refresh my knowledge of floppy drive controllers to know if it's even remotely possible, but it certainly wouldn't be easy. The electronics for the normal write functions are physically disabled when a write-protected disk is inserted, in the PC. I can't remember if the virus worked on PC or Atari, anyway.

@@eekee6034 I do remember people not 100% trusting the little write-protect tab and taping it over to be 'extra safe'. I can imagine virus writers tapping into this fear. And history repeats itself, because nowadays people tape over their webcams to be 'extra safe'.

I tried scrolling something in a video the other day... or did I try to use a game's camera controls? Many years ago, I dropped something behind my monitor IRL, and tried to use the camera controls of the game I was playing to look behind the monitor. XD

Excellent point. I believe it does not work in the other direction (PC → floppy): if it cannot write, it cannot spread. The user would either have to give the virus write access to a disk, or the virus would need some way to override the write protection.

If you delve into the code of the virus (link in the description) you’ll see it’s watching a hardware clock-tick, if that has a certain composition (1/8 probability) it will show the message

It could just load the sector into memory and jump to it, or ignore the backup entirely and load io.sys and msdos.sys by itself, although I believe it does the former.

I didn't analyze the stoned virus, but it's competitor on being the most common boot sector virus in Europe. I expect them to be technically very similar, as they are both basic boot sector/MBR viruses. That one is the "parity" virus. It makes your PC crash with a fake memory parity error message at the next full hour, but gives you another hour of computing time before it crashes your system for every floppy it could infect.
The parity virus installs a BIOS hook that redirects all reads (but not writes!) to the boot sector to sector 11. It then re-executes the BIOS boot function by calling INT 19. This interrupt causes the BIOS to load the boot sector from A: or the MBR from C: again, this time with BIOS hook installed, so the computer boots from sector 11.
As writes are *not* redirected by the parity virus, you can just read the boot sector/MBR and re-write the data you just read to get rid of the virus. As soon as you read the boot sector afterwards, the disk will get re-infected, though, so my standard routine to get rid of parity is to read the boot sector (of a floppy) or the MBR (of a HDD), rewrite what I wrote, and power-cycle it. The virus tries to intercept Ctrl-Alt-Del to survive a warm start. Depending on what TSRs you had installed, that interception might fail, though.

I'm just thinking: Wouldn't it be even more easy to just load the stoned.bin into debug and simply execute it? I mean the code has everything in it to replicate it, so it would naturally infect the Floppy. OK, it would do so to the HDD as well, but this was already infected so no harm done.

Yes, it could overwrite data on the disk

I believe you are mistaken. A sane OS can read the data tables on an infected disk without running any of its code. The malicious code would still be in RAM but it would be inactive. Having said that, if there is a bug in the OS's code the use of specially crafted values in the data tables could lead to execution of the malicious code but I doubt the virus in this video does that.

@@eDoc2020
If what you say is true, virii could not spread. If I had a floppy disc that I always booted from, and never booted from a different floppy, my computer could never be infected, since I only booted from an uninfected disc.
That said, I admittedly have not booted a computer from a floppy disc since about 1990, so don't fully remember, but I believe if the infected disc has programs, all one has to do to get infected is run one of the programs, not necessarily boot from the disc.
The boot sector itself has the malicious code, and the CPU accesses the boot sector every time it accesses the disc. So the malicious code runs and infects the computer's RAM each time it is accessed. The code tells the machine to write itself to each disc that machine ever accesses. If the machine has a HDD, the malicious code writes to the MBR, and thereby infects every disc the machine sees.

@@xenaguy01 There's no conflict here. What I'm saying is that if you _don't_ boot the infected disk and _don't_ run any programs from it you shouldn't get infected.

I don't know if the virus does this or not but one way to hide data is to mark the sectors as bad in the FAT. Usually physically damaged sectors are marked as bad so the OS knows not to put data there. On the surface scan this would appear as a B and at the end it will say there are X bytes (or maybe clusters) of bad sectors.

@@eDoc2020 yes its a red rectangle with a B inside...it would be kind of weird if the virus did that but i really dont know :)

@@MrHBSoftware I thought it was a black rectangle with a red B... Anyways it appears it doesn't do that. Sector 11 is normally the last sector of the root directory table so if you have less than 96 files it would normally be unused.