National Institute of Standards and Technology
                      Computer Security Division
==========================================================================
                      Security Information Notice
==========================================================================


February 19, 1992


                         Michelangelo Virus


This fact sheet describes a computer virus known as "Michelangelo", which
recently has been discovered and received attention in the news media.  This
virus affects IBM-compatible personal computers and has a "trigger" date of
March 6 (Michelangelo's birthday), at which time it will cause significant
damage to the hard disk of an infected system.  The virus has been reported
by a number of sites and there have been at least two cases in which it has
been inadvertently distributed on commercial software.  However there is no
way of knowing exactly how extensively the virus may be spread.  It is,
therefore, only prudent for users of IBM-compatible personal computers to
take certain precautions -- if they are not already doing so on a regular
basis.   This fact sheet provides information about the virus and steps that
can be taken to detect and eradicate it.

The Michelangelo virus is a variant of the Stoned virus.  It is classified
as a "boot sector" virus, since it infects the "master boot record" of a
system's hard disk or the "boot record" of floppy disks.  (These are
critical portions of a disk that load the operating system, DOS, when the
computer is powered up or re-booted.)  This virus does not infect executable
files.  However, it can infect and be transmitted on any formatted diskette
in an infected machine.

This virus has a trigger date of March 6, at which time the virus attempts
to overwrite vital areas of the hard disk.  Additionally, disk File
Allocation Tables (FATs) may be damaged.  If this happens and you don't have
a backup, recovery will be very tedious and, in most cases, not practical.

Backing Up Your System:
It is very important that you back up your system, regardless of whether it
is infected.  To back up your system, boot from a floppy diskette that you
know to be non-infected (i.e., you have scanned this diskette with a scanner
that detects the Michelangelo virus) and then copy your files to other non-
infected diskettes.

Detecting the Michelangelo Virus:
The best way to detect this virus is to use a virus scanning program that
scans boot sector records.  Most scanners scan boot records in addition to
files, but you should make sure your scanner is doing so.  There are several
readily-available products whose most recent versions can detect the
Michelangelo virus.  NIST does not evaluate or endorse anti-viral products
nor distribute anti-viral software.

While a scanner is recommended, possible existence of the virus can be
determined without a scanner by using the standard DOS CHKDSK command.  If
the virus is resident in a PC, CHKDSK returns 2048 bytes less memory than
the uninfected system.  On a 640K PC DOS normally returns 655,360 bytes
"total bytes memory" on an uninfected system.  On an infected system, the
value returned is 653,312.  This is by no means a conclusive test. If you
are attempting to use this method of detecting the virus, the change in
memory size should disappear when you boot from a non-infected floppy, i.e.,
CHKDSK will return the true number of bytes in memory.  However, use of an
actual virus scanner is recommended.  

What to do if the Michelangelo Virus is Detected
If your scanner program determines that the Michelangelo virus is present,
follow the vendor's instructions for removing the virus from your disk's
master boot record.  If you have used CHKDSK instead of a scanner and CHKDSK
indicates that the virus may be present, use a scanner to verify.  Before
rebooting your system, scan the system again to ensure that your system is
clean of all viruses - if your system is still infected with a virus, use
your anti-viral software to remove the virus.  If your organization has a PC
support group, you should consult them and inform them of the problem.

It is possible to avoid damage by resetting the system date to something
other than March 6; however, this is a poor solution, since the virus would
still be present and spreading.  It is recommended that you back up your
system, scan for the existence of the virus, and remove it.

If an infection of this or any other virus is detected, you should also
immediately inform your management, PC support, or security officer.  The
presence of a virus could mean that many other systems in your organization
have also been infected.

Additional Technical Damage Information:
On March 6, the virus will begin to overwrite the disk from which the system
has been booted.  It will overwrite heads 0-3,tracks 0-255 (if available),
sectors 1-9 on a 360 Kb floppy, 1-17 on a hard disk, and 1-14 on everything
else (e.g. 1.2 Mbfloppy).  The sectors will be overwritten with whatever
happens to be at memory address 5000:0000h - probably zeroes.  Due to a bug
in the virus, when it reaches track 255, it will go back to track 0 and so
on ad infinitum.

This will cause serious damage to hard disks that store some system
information on unused sectors (IDE disks, PS/2s).  On all other disks, there
is no hope to restore any information, unless the disk contained any
partitions that begin after track 255 (in practice this means after the 11
Mb boundary).  The information on such partitions (but not the information
on the first physical partition) can be restored, but this requires expert
help.

Additional Detection:
The following pattern (found in the Master Boot Record) will also detect the
virus:

    BE00 7C33 FFFC F3A4 2EFF 2E03 7C33 C08E

Additional Eradication Information:
On some drives, IDE drives in particular, it can be difficult to remove an
infection. If you have one of these drives, a fairly simple solution is
available.  Boot from a MS-DOS 5.0 system diskette and running the
undocumented FDISK /MBR.  This will get rid of the virus without destroying
any data.  However, if you don't have DOS 5.O and have experience in using a
physical sector editor such as Norton Utilities or PCTools, you can
disinfect your hard disk by copying Head 0 Track 0 Sector 7 to Head 0 Track
0 Sector 1.  This copies the original Master Boot Record back where it
belongs and overwrites the virus in the process.  Remember when doing this,
however, to be sure to boot from a clean disk before you start.

For More Information:
For more information about viruses and computer security in general, NIST
offers a Bulletin Board System that is open to the general public (the
information on the BBS is not available in printed form).  To contact the
BBS, use a modem and communications software to dial (301) 948-5717 (-5140
for 9600 BPS).  For additional information, contact NIST at 301-975-5200.