Update on Stoned virus infection of German notebooks

Thursday, we blogged that the ancient Stoned.Angelina virus had been found on some German notebooks made by Medion. SecuriTeam has a round-up.

It’s worth noting that a) virtually no PCs ship with floppies these days, making infection of other PCs highly unlikely and b) the fact that an antivirus program can’t remove an ancient boot sector virus such as this one is open to debate.

The virus itself isn’t destructive. And in Windows XP and Vista, you would have to have a floppy in the drive while the system is booting in order to get infected. In a way, it's more of a novelty to see such an old virus (which is no longer even on the Wildlist).

However, the point is that if you’re infected, you would want to clean it, and a number of notebooks shipped from Medion with this virus. BullGuard, the antivirus product included with the notebook, was initially unable to remove it, although the company has an update on its website which should do the job.

Here is more from Andreas Marx:

Introduction: Medion shipped some notebooks together with a boot virus from 1994 (!)... and it looks like quite some AV tools had problems with the detection and/or removal of this critter. For example, the AV software installed on the system reported this virus on every reboot, but was unable to remove it.

To my surprise, Stoned.Angelina is working very well with Windows Vista (x86) — the system gets infected and it is still bootable.

Windows Vista won't display any message or other kind of warning regarding the boot sector change (unlike Windows 98, for example.).

The virus is only able to spread to further disks when Windows [itself] is not yet started,…the virus can infect further disks at boot time, but not after Windows has been started.

Testing: First, we infected a PC with an installed Windows XP SP2 or Windows Vista with "Stoned.Angelina", which is quite easy to perform — you only need to "forget" an infected floppy disk in the A: drive and try to boot from it. The virus will instantly infect the system area of the hard disk. However, unlike some other boot viruses, Windows is still able to boot up and it won't display a warning messages. The virus can infect further floppy disks as soon as it's activated (on every reboot) and under DOS. As soon as Windows 2000, XP or Vista (or Linux or any other protected mode OS) is started, the virus code won't be called anymore -- the system is still infected, but the virus itself cannot spread further until the next reboot.

For our testing, we used the German versions of Windows and the currently available "2007" or "2008" consumer versions of some anti-virus software or security suites (in German language, using updates as of yesterday or today, 2007-09-14). We have tested a total of 10 products (on two OS): Avira AntiVir Personal Premium (v7), G Data (AVK) Total Care 2008, BitDefender Internet Security 2008 (v10), BullGuard Internet Security 7.0, Kaspersky Internet Security 7.0, McAfee Internet Security 2007 (the 2008 version is not yet released), Symantec Norton 360, Microsoft OneCare 1.6, Panda Internet Security 2008 (v12), Trend Micro PC-cillin Internet Security 2007 (the 2008 version is not yet released).

The following scanners were able to detect and successfully remove the "Stoned.Angelina" critter on Windows XP and Vista:

G Data (AVK) Total Care 2008

BitDefender Internet Security 2008 (v10)

Kaspersky Internet Security 7.0

The following tools were able to detect and report the infection, but unable to handle it:

BullGuard Internet Security 7.0 (updated information from BullGuard, here).

McAfee Internet Security 2007

Trend Micro PC-cillin Internet Security 2007

Avira AntiVir Personal Premium (v7) -- BUT the scan of the system areas (master boot record) is disabled by default, so it has to be enabled or AntiVir wouldn't report anything, as it's not scanning this sector.

Two of the tools were able to successfully report and clean the virus on Windows XP, but they shred the system area on disinfecting a Windows Vista based system after the infection was found — this means that Vista wouldn’t start anymore after a "successful" cleaning and it has to be repaired (e.g. by booting from the installation DVD and selecting the option to repair the system, see the Bullguard website link above for details):

Symantec Norton 360

Panda Internet Security 2008 (v12) -- BUT you need to start the tool with administrator rights or disable User Account Control (UAC) or Panda wouldn't be able to scan for the virus on disk and report the system is clean, even if it's indeed infected.

This leaves one tool -- Microsoft OneCare 1.6 -- which is completely unable to scan for boot viruses on disk (tested on Windows XP and Vista), so the user wouldn't get a notification that his system is infected. As nothing is found, nothing can be removed, of course.