-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : CERT-NL                                     Index  :    S-92-02
Distribution  : SURFnet aangesloten instellingen            Page   :          1
Classification: External                                    Version:      final
Subject       : Michelangelo PC Virus          Date   :  06-feb-92
===============================================================================


CERT-NL (SURFnet Computer Emergency Response Team) has received
information concerning a security problem in MS-DOS/PC-DOS

CERT-NL wishes to thank CERT/CC for bringing this to our attention.

===========================================================================
CA-92:02                        CERT Advisory
               February 6, 1992
                         Michelangelo PC Virus Warning

- ---------------------------------------------------------------------------

The Computer Emergency Response Team/Coordination Center (CERT/CC) has
received information concerning a personal computer virus known as
Michelangelo.  The virus affects IBM PCs and compatibles.  A description
of the virus, along with suggested countermeasures, is presented below.

- ---------------------------------------------------------------------------

I.   Description

     The Michelangelo virus is a computer virus that affects PCs
     running MS-DOS (and PC-DOS, DR-DOS, etc.) versions 2.xx and
     higher.  Note, however, that although the virus can only execute
     on PCs running these versions of DOS, it can infect and damage PC
     hard disks containing other PC operating systems including UNIX,
     OS/2, and Novell.  Thus, booting an infected DOS floppy disk on
     a PC that has, for example, UNIX on the hard disk would infect
     the hard disk and would probably prevent the UNIX disk from
     booting.  The virus infects floppy disk boot sectors and hard
     disk master boot records (MBRs).  When the user boots from an
     infected floppy disk, the virus installs itself in memory and
     infects the partition table of the first hard disk (if found).
     Once the virus is installed, it will infect any floppy disk that
     the user accesses.

     Some possible, though not conclusive, symptoms of the
     Michelangelo virus include a reduction in free/total memory by
     2048 bytes, and some floppy disks that become unusable or display
     "odd" graphic characters during "DIR" commands.  Additionally,
     integrity management products should report that the MBR has been
     altered.

     Note that the Michelangelo virus does not display any messages on
     the PC screen at any time.

II.  Impact

     The Michelangelo virus triggers on any March 6.  On that date,
     the virus overwrites critical system data, including boot and
     file allocation table (FAT) records, on the boot disk (floppy or
     hard), rendering the disk unusable.  Recovering user data from a
     disk damaged by the Michelangelo virus will be very difficult.

III. Solution 

     Many versions of anti-virus software released after approximately
     October 1991 will detect and/or remove the Michelangelo virus.
     This includes numerous commercial, shareware, and freeware
     software packages.  Since this virus was first detected around
     the middle of 1991 (after March 6, 1991), it is crucial to use
     current versions of these products, particularly those products
     that search systems for known viruses.
        
     The CERT/CC has not formally reviewed, evaluated, or endorsed any
     of the anti-virus products.  While some older anti-virus products
     may detect this virus, the CERT/CC strongly suggests that sites
     verify with their anti-virus product vendors that their product
     will detect and eradicate the Michelangelo virus.

     The CERT/CC advises that all sites test for the presence of this
     virus before March 6, which is the trigger date.  If an infection
     is discovered, it is essential that the user examine all floppy
     disks that may have come in contact with an infected machine.

     As always, the CERT/CC strongly urges all sites to maintain good
     backup procedures.

- ---------------------------------------------------------------------------

The CERT/CC wishes to thank for their assistance: Mr. Christoph
Fischer of the Micro-BIT Virus Center (Germany), Dr. Klaus Brunnstein
of the Virus Test Center (Germany), Mr. A. Padgett Peterson, P.E., of
the Technical Computing Center at Martin-Marietta Corp., and Mr. Steve
R. White of IBM's Thomas J. Watson Research Center.

- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact CERT/CC or
your representative in FIRST (Forum of Incident Response and Security Teams).

Internet E-mail: cert@cert.sei.cmu.edu
Telephone: 412-268-7090 (24-hour hotline)
           CERT/CC personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
           on call for emergencies during other hours.

Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

Past advisories, information about FIRST representatives, and other
information related to computer security are available for anonymous ftp
from cert.sei.cmu.edu (192.88.209.5).

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6V8zSYjBqwfc9jEQJzRwCdGUK7y3feOE8ER/3rUkQ5gikI/M8An00l
qXp6BmGy+QQKRLoiqenAmcEh
=ALvk
-----END PGP SIGNATURE-----