From: karyn@cheetah.llnl.gov (Karyn Pichnarczyk)
Newsgroups: comp.virus
Subject: CIAC Bulletin C-15: Michelangelo Virus (PC)


			   NO RESTRICTIONS
          _____________________________________________________
              The Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
         _____________________________________________________
			 Information Bulletin

		Michelangelo Virus on MS DOS Computers


February 6, 1992, 1400 PDT				     Number C-15
_________________________________________________________________________
Name: Michelangelo virus
Platform: MS-DOS computers
Damage: On March 6 will destroy all files on infected disks and
	diskettes that are accessed.
Symptoms: CHKDSK reports "total bytes memory" 2048 bytes less than
	expected
Detection: DDI Data Physician Plus! v 3.0C, FPROT 2.01, other
	anti-viral packages updated since late September 1991
Eradication: DDI Data Physician Plus! v 3.0C, FPROT 2.01, other
	anti-viral packages updated since late September 1991
_________________________________________________________________________
	       Critical Facts about Michelangelo Virus

The Michelangelo virus, one of the most widespread viruses among MS
DOS systems, infects the Master Boot Record of hard disks and the boot
sector of floppy disks.  This virus will destroy infected disks on
March 6 (Michelangelo's birthday).  It infects very rapidly and
quietly, usually showing no indication of its presence until a virus
detection utility notes its existence.

Infection Mechanism

This virus is very similar to the Stoned family of viruses (see CIAC
Bulletin A-28 for a description of the Stoned virus).  When a
Michelangelo-infected diskette is placed in the A: drive and the
machine is booted, the virus is loaded into memory from the infected
floppy disk.  It then quickly infects the machine by moving the hard
disk's original boot sector to another location on the disk, and
installs itself as the boot sector.  From then on, any access to
another disk spreads the virus to that disk.  The disk which infects
the hard disk does NOT have to be a bootable system diskette to spread
the infection.  Also, all boot infector viruses, such as this one, do
NOT affect user files, therefore, a backup prior to eradication will
enable full recovery of all user data and programs.

Potential Damage

On March 6 of any year this virus will destroy all data on any disk
from which the machine is booted.  This occurs by overwriting hard
disk sectors 1-17, heads 0-3, tracks 0-255, or the entire diskette
with random characters, thus making recovery questionable at best.
Note that if your hard disk is partitioned and contains another
operating system, such as UNIX, in the area overwritten, that data
will be destroyed as well.  On all other days of the year this virus
lays dormant, merely copying itself to other disks.  The infection
mechanism of this virus may also cause read errors to occur upon some
high density (1.2 M) diskettes.

A problem can occur if a disk is infected by both the Michelangelo and
the Stoned viruses AT THE SAME TIME.  Both move the 'original' boot
sector to the same location on the disk, so when the second infection
occurs, the original clean boot sector is destroyed by being
overwritten by the first virus.  CIAC recommends a low-level format of
the disk if this double-infection occurs, although performing the
DOS SYS operation may repair a damaged diskette, and performing the
undocumented FDISK/MBR operation (in DOS 5.0 only) may repair a
damaged hard disk.

Detection and Eradication

Because the Michelangelo virus has been discovered relatively
recently, only anti-virus products updated since early autumn of 1991
will detect it.  If you suspect your PC has this virus and do not have
an updated version of a virus scanner, running CHKDSK will report a
"total bytes memory" value 2048 bytes less than expected.  For
example, a PC with 640 KBytes of memory will normally return a value
of 655,360 bytes, with Michelangelo that value would be 653,312.  Of
course, having less "total bytes memory" does not necessarily mean a
virus is resident on your machine, as some valid memory resident
programs can affect this value as well.

CIAC is aware of at least two publicized cases of this virus being
inadvertently distributed by vendors.  The vendors involved are
Leading Edge and DaVinci Systems; both vendors have made an attempt to
contact all recipients of the software involved.

CIAC stresses the importance of checking all incoming diskettes with
an anti-viral utility, such as VIRHUNT from DDI's Data Physician Plus!
package.  CIAC recommends that once a system has had a virus
eradicated, it be powered down.  The computer should then be observed
closely throughout the entire boot-up process.  Another virus scan
should be performed on the machine to ensure that it is devoid of any
virus.

For additional information or assistance, please contact CIAC:

Karyn Pichnarczyk
(510) 422-1779 or (FTS) 532-1779
karyn@cheetah.llnl.gov

(FAX) (510) 423-8002 or (FTS) 543-8002

Send e-mail to ciac@llnl.gov or call CIAC at
(510)422-8193/(FTS)532-8193.

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Some of the other teams include the NASA NSI response
team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team.  Your
agency's team will coordinate with CIAC.

Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights.  Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California.  The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.

--- Fred-Uf 1.8(L)[BETA]
 * Origin: Megabyte BBS, UUCP, Fidonet, IMEx, total messaging (1:340/201.0)
SEEN-BY: 340/201 1000 688/13