Submitted Successfully!
To reward your contribution, here is a gift for you: A free trial for our video production service.
Thank you for your contribution! You can also upload a video entry or images related to this topic.
Version Summary Created by Modification Content Size Created at Operation
1 handwiki -- 997 2022-11-03 01:32:35

Video Upload Options

Do you have a full video?


Are you sure to Delete?
If you have any further questions, please contact Encyclopedia Editorial Office.
HandWiki. Stoned (Computer Virus). Encyclopedia. Available online: (accessed on 23 June 2024).
HandWiki. Stoned (Computer Virus). Encyclopedia. Available at: Accessed June 23, 2024.
HandWiki. "Stoned (Computer Virus)" Encyclopedia, (accessed June 23, 2024).
HandWiki. (2022, November 03). Stoned (Computer Virus). In Encyclopedia.
HandWiki. "Stoned (Computer Virus)." Encyclopedia. Web. 03 November, 2022.
Stoned (Computer Virus)

Stoned is a boot sector computer virus created in 1987. It is one of the first viruses and is thought to have been written by a student in Wellington, New Zealand. By 1989 it had spread widely in New Zealand and Australia, and variants became very common worldwide in the early 1990s. A computer infected with the original version had a one in eight probability that the screen would declare: "Your PC is now Stoned!", a phrase found in infected boot sectors of infected floppy disks and master boot records of infected hard disks, along with the phrase "Legalise Marijuana". Later variants produced a range of other messages.

computer virus marijuana viruses

1. Original Version

The original "Your computer is now stoned. Legalise Marijuana" was thought to have been written by a student in Wellington, New Zealand.[1][2]

This initial version appears to have been written by someone with experience only with IBM PC 360KB floppy drives, as it misbehaves on the IBM AT 1.2MB floppy, or on systems with more than 96 files in the root directory. On higher capacity disks, such as 1.2 MB disks, the original boot sector may overwrite a portion of the directory.

The message displays if the boot time was exactly divisible by 8. On many IBM PC clones at the time, boot times could vary, so the message would display randomly (1 time in 8). On some IBM PC compatible machines or on original IBM PC computers, the boot time was constant, so an infected computer would either never display the message or always display the message. An infected computer with a 360K disk and a 20MB or less hard disk, which never displayed the message was one of the first examples of an asymptomatic virus carrier, which would work with no impediment to its function, but which would infect any disks inserted into it.

On hard disks, the original master boot record is moved to cylinder 0, head 0, sector 7. On floppy disks, the original boot sector is moved to cylinder 0, head 1, sector 3, which is the last directory sector on 360 kB disks. The virus will "safely" overwrite the boot sector if the root directory has no more than 96 files.

The PC was typically infected by booting from an infected diskette. Computers, at the time, would default to booting from the A: diskette drive if it had a diskette. The virus was spread when a floppy diskette was accessed with an infected computer. That diskette was now, itself, a source for further spread of the virus. This was much like a recessive gene - difficult to eliminate - because a user could have any number of infected diskettes and yet not have their systems infected with the virus unless they inadvertently boot from an infected diskette. Cleaning the computer without cleaning all diskettes left the user susceptible to a repeat infection. The method also furthered the spread of the virus in that borrowed diskettes, if placed into the system, were now able to carry the virus to a new host.

2. Variants

The virus image is very easily modified (patched); in particular a person with no knowledge of programming can alter the message displayed. Many variants of Stoned circulated, some only with different messages.

2.1. Beijing, Bloody!

The virus has the string "Bloody! Jun. 4, 1989". On this date, the Tiananmen Square protests were suppressed by the People's Republic of China.

2.2. Swedish Disaster

The virus has the string "The Swedish Disaster".

2.3. Manitoba

Manitoba has no activation routine and does not store the original boot sector on floppies; Manitoba simply overwrites the original boot sector. 2.88MB EHD floppies are corrupted by the virus.

Manitoba uses 2KB memory while resident.

2.4. NoInt, Bloomington, Stoned III

NoInt tries to stop programs from detecting it. This causes read errors if the computer tries to access the partition table. Systems infected with NoInt have a decrease of 2 kB in base memory.

Flame, Stamford

A variant of Stoned was called Flame (later unrelated sophisticated malware was given the same name). The early Flame uses 1 kB of DOS memory. It stores the original boot sector or master boot record at cylinder 25, head 1, sector 1 regardless of the media.

Flame saves the current month of the system when it is infected. When the month changes, Flame displays colored flames on the screen and overwrites the master boot record.


Angelina has stealth mechanisms. On hard disks, the original master boot record is moved to cylinder 0, head 0, sector 9.

Angelina contains the following embedded text, not displayed by the virus: "Greetings from ANGELINA!!!/by Garfield/Zielona Gora" (Zielona Góra is a town in Poland).

  • In October 1995 Angelina was discovered in new factory-sealed Seagate Technology 5850 (850MB) IDE drives.[3]
  • In 2007 a batch of Medion laptops sold through the Aldi supermarket chain appeared to be infected with Angelina.[4] A Medion press release explained that the virus was not really present; rather, it was a spurious warning caused by a bug in the pre-installed antivirus software, Bullguard. A patch was released to fix the error.[5] The Bullguard malfunction highlights one of the issues (along with loss of performance and frustrating pop-ups asking the user for money) of OEMs pre-installing what Microsoft internally referred to as "craplets" onto Windows PCs to make up for the licensing costs of Windows. A practice widely condemned in the tech media, even from reporters who are usually friendly to Microsoft.[6]

3. Bitcoin Blockchain Incident

On 15 May 2014, the signature of the Stoned virus was inserted into the bitcoin blockchain. This caused Microsoft Security Essentials to recognize copies of the blockchain as the virus, prompting it to remove the file in question, and subsequently forcing the node to reload the block chain from that point, continuing the cycle.[7][8]

Only the signature of the virus had been inserted into the blockchain; the virus itself was not there, and if it were, it would not be able to function.[9]

The situation was averted shortly thereafter, when Microsoft prevented the blockchain from being recognized as Stoned.[10] Microsoft Security Essentials did not lose the ability to detect a real instance of Stoned.


  1. "...a brief history of PC viruses.", IBM Research
  2. "The early days", History of Malware
  3. "Virus:Boot/Stoned". 
  4. "Boot virus shipped on German laptops". Virus Bulletin. 
  5. "Wichtige Produktinformation zum Notebook MD 96290". Medion AG. 2007-11-10. 
  6. "Beat it, bloatware: How to clean Superfish and other crap off your PC" (in en). 2015-02-19. 
  7. "Microsoft Security Essentials reporting false positives in the Bitcoin blockchain, constantly notifying users.". 
  8. tweet_btn(), Richard Chirgwin 18 May 2014 at 21:58. "Bitcoin blockchain allegedly infected by ancient 'Stoned' virus". 
  9. "A Virus Scare in the Blockchain: Traces of DOS "Stoned" Found • r/Bitcoin". 19 May 2014. 
  10. Wei, Wang. "Ancient 'STONED' Virus Signatures found in Bitcoin Blockchain". 
Subjects: Others
Contributor MDPI registered users' name will be linked to their SciProfiles pages. To register with us, please refer to :
View Times: 362
Entry Collection: HandWiki
Revision: 1 time (View History)
Update Date: 03 Nov 2022
Video Production Service