Copy Link
Add to Bookmark
Report
CIAC C-15
NO RESTRICTIONS
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Information Bulletin
Michelangelo Virus on MS DOS Computers
February 6, 1992, 1400 PDT Number C-15
_________________________________________________________________________
Name: Michelangelo virus
Platform: MS-DOS computers
Damage: On March 6 will destroy all files on infected disks and
diskettes that are accessed.
Symptoms: CHKDSK reports "total bytes memory" 2048 bytes less than
expected
Detection: DDI Data Physician Plus! v 3.0C, FPROT 2.01, other
anti-viral packages updated since late September 1991
Eradication: DDI Data Physician Plus! v 3.0C, FPROT 2.01, other
anti-viral packages updated since late September 1991
_________________________________________________________________________
Critical Facts about Michelangelo Virus
The Michelangelo virus, one of the most widespread viruses among MS
DOS systems, infects the Master Boot Record of hard disks and the boot
sector of floppy disks. This virus will destroy infected disks on
March 6 (Michelangelo's birthday). It infects very rapidly and
quietly, usually showing no indication of its presence until a virus
detection utility notes its existence.
Infection Mechanism
This virus is very similar to the Stoned family of viruses (see CIAC
Bulletin A-28 for a description of the Stoned virus). When a
Michelangelo-infected diskette is placed in the A: drive and the
machine is booted, the virus is loaded into memory from the infected
floppy disk. It then quickly infects the machine by moving the hard
disk's original boot sector to another location on the disk, and
installs itself as the boot sector. From then on, any access to
another disk spreads the virus to that disk. The disk which infects
the hard disk does NOT have to be a bootable system diskette to spread
the infection. Also, all boot infector viruses, such as this one, do
NOT affect user files, therefore, a backup prior to eradication will
enable full recovery of all user data and programs.
Potential Damage
On March 6 of any year this virus will destroy all data on any disk
from which the machine is booted. This occurs by overwriting hard
disk sectors 1-17, heads 0-3, tracks 0-255, or the entire diskette
with random characters, thus making recovery questionable at best.
Note that if your hard disk is partitioned and contains another
operating system, such as UNIX, in the area overwritten, that data
will be destroyed as well. On all other days of the year this virus
lays dormant, merely copying itself to other disks. The infection
mechanism of this virus may also cause read errors to occur upon some
high density (1.2 M) diskettes.
A problem can occur if a disk is infected by both the Michelangelo and
the Stoned viruses AT THE SAME TIME. Both move the 'original' boot
sector to the same location on the disk, so when the second infection
occurs, the original clean boot sector is destroyed by being
overwritten by the first virus. CIAC recommends a low-level format of
the disk if this double-infection occurs, although performing the
DOS SYS operation may repair a damaged diskette, and performing the
undocumented FDISK/MBR operation (in DOS 5.0 only) may repair a
damaged hard disk.
Detection and Eradication
Because the Michelangelo virus has been discovered relatively
recently, only anti-virus products updated since early autumn of 1991
will detect it. If you suspect your PC has this virus and do not have
an updated version of a virus scanner, running CHKDSK will report a
"total bytes memory" value 2048 bytes less than expected. For
example, a PC with 640 KBytes of memory will normally return a value
of 655,360 bytes, with Michelangelo that value would be 653,312. Of
course, having less "total bytes memory" does not necessarily mean a
virus is resident on your machine, as some valid memory resident
programs can affect this value as well.
CIAC is aware of at least two publicized cases of this virus being
inadvertently distributed by vendors. The vendors involved are
Leading Edge and DaVinci Systems; both vendors have made an attempt to
contact all recipients of the software involved.
CIAC stresses the importance of checking all incoming diskettes with
an anti-viral utility, such as VIRHUNT from DDI's Data Physician Plus!
package. CIAC recommends that once a system has had a virus
eradicated, it be powered down. The computer should then be observed
closely throughout the entire boot-up process. Another virus scan
should be performed on the machine to ensure that it is devoid of any
virus.
For additional information or assistance, please contact CIAC:
Karyn Pichnarczyk
(510) 422-1779 or (FTS) 532-1779
karyn@cheetah.llnl.gov
(FAX) (510) 423-8002 or (FTS) 543-8002
Send e-mail to ciac@llnl.gov or call CIAC at
(510)422-8193/(FTS)532-8193.
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Some of the other teams include the NASA NSI response
team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your
agency's team will coordinate with CIAC.
Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.
