I was infected by the Jerusalem virus and disinfected the infected files with my favorite anti-virus program. However, Wordperfect and some other programs still refuse to work. Why?

The Jerusalem virus and WordPerfect 4.2 program combination is an example of a virus and program that cannot be completely disinfected by an anti-virus tool. In some cases such as this one, the virus will destroy code by overwriting it instead of appending itself to the file. The only solution is to re-install the programs from clean (non-infected) backups or distribution media. (See question D10.)

I was told that the Stoned virus displays the text "Your PC is now Stoned" at boot time. I have been infected by this virus several times, but have never seen the message. Why?

The "original" Stoned message was ".Your PC is now Stoned!", where the "." represents the "bell" character (ASCII 7 or "PC speaker beep"). The message is displayed with a probability of 1 in 8 only when a PC is booted from an infected diskette. When booting from an infected hard disk, Stoned never displays this message.

Recently, versions of Stoned with no message whatsoever or only the leading bell character have become very common. These versions of Stoned are likely to go unnoticed by all but the most observant, even when regularly booting from infected diskettes.

Contrary to some reports, the Stoned virus -does NOT- display the message "LEGALISE MARIJUANA", although such a string is quite clearly visible in the boot sectors of diskettes infected with the "original" version of Stoned in "standard" PC's.

I was infected by both Stoned and Michelangelo. Why has my computer became unbootable? And why, each time I run my favorite scanner, does it find one of the viruses and say that it is removed, but when I run it again, it says that the virus is still there?

These two viruses store the original Master Boot Record at one and the same place on the hard disk. They do not recognize each other, and therefore a computer can become infected with both of them at the same time.

The first of these viruses that infects the computer will overwrite the Master Boot Record with its body and store the original MBR at a certain place on the disk. So far, this is normal for a boot-record virus. But if now the other virus infects the computer too, it will replace the MBR (which now contains the virus that has come first) with its own body, and store what it believes is the original MBR (but in fact is the body of the first virus) AT THE SAME PLACE on the hard disk, thus OVERWRITING the original MBR. When this happens, the contents of the original MBR are lost. Therefore the disk becomes non-bootable.

When a virus removal program inspects such a hard disk, it will see the SECOND virus in the MBR and will try to remove it by overwriting it with the contents of the sector where this virus normally stores the original MBR. However, now this sector contains the body of the FIRST virus. Therefore, the virus removal program will install the first virus in trying to remove the second. In all probability it will not wipe out the sector where the (infected) MBR has been stored.

When the program is run again, it will find the FIRST virus in the MBR. By trying to remove it, the program will get the contents of the sector where this virus normally stores the original MBR, and will move it over the current (infected) MBR. Unfortunately, this sector still contains the body of the FIRST virus. Therefore, the body of this virus will be re-installed over the MBR ad infinitum.

There is no easy solution to this problem, since the contents of the original MBR is lost. The only solution for the anti-virus program is to detect that there is a problem, and to overwrite the contents of the MBR with a valid MBR program, which the anti-virus program will have to carry with itself. If your favorite anti-virus program is not that smart, consider replacing it with a better one, or just boot from a write-protected uninfected DOS 5.0 diskette, and execute the program FDISK with the option /MBR. This will re-create the executable code in the MBR without modifying the partition table data.

In general, infection by multiple viruses of the same file or area is possible and vital areas of the original may be lost. This can make it difficult or impossible for virus disinfection tools to be effective, and replacement of the lost file/area will be necessary.

Back to top