False Stoned virus detections in Bitcoin files are widespread

Some joker stuffed the virus signature into the return address for a Bitcoin transaction leading to Stoned virus detections when transactions are stored on-disk.

Researcher Didier Stevens is reporting on his blog that he has confirmed the reports of anti-virus false positive detections in Bitcoin files. Stevens submitted samples to VirusTotal and received positive detections from several, including many respectable vendors like Symantec, Sophos and Trend Micro.


The programs are detecting the Stoned virus, an ancient boot sector virus created in 1987. A user report to Microsoft for the problem in May correctly notes that the detection is in error and that it appears to be the result of a prank: Someone inserted the virus signature as a string associated with a transaction. Stevens identified two transactions, both dated 4/4/2014, but he thinks there are others.

As Stevens explains: "[s]tuffing messages in the address of the output(s) of a transaction is a well-known method to insert messages in the Bitcoin blockchain." The string does not contain an executable virus, nor would it ever be executed even if it were code.

As the Microsoft description says, Stoned is ancient. I recall cleaning up a major outbreak in a project I was running in 1990. In those days boot sector viruses were a more serious problem. Now the actual Stoned virus doesn't do any real damage, but just displays "YOUR COMPUTER HAS BEEN STONED" on one of every eight computer startups.