National Institute of Standards and Technology Computer Security Division ========================================================================== Security Information Notice ========================================================================== February 19, 1992 Michelangelo Virus This fact sheet describes a computer virus known as "Michelangelo", which recently has been discovered and received attention in the news media. This virus affects IBM-compatible personal computers and has a "trigger" date of March 6 (Michelangelo's birthday), at which time it will cause significant damage to the hard disk of an infected system. The virus has been reported by a number of sites and there have been at least two cases in which it has been inadvertently distributed on commercial software. However there is no way of knowing exactly how extensively the virus may be spread. It is, therefore, only prudent for users of IBM-compatible personal computers to take certain precautions -- if they are not already doing so on a regular basis. This fact sheet provides information about the virus and steps that can be taken to detect and eradicate it. The Michelangelo virus is a variant of the Stoned virus. It is classified as a "boot sector" virus, since it infects the "master boot record" of a system's hard disk or the "boot record" of floppy disks. (These are critical portions of a disk that load the operating system, DOS, when the computer is powered up or re-booted.) This virus does not infect executable files. However, it can infect and be transmitted on any formatted diskette in an infected machine. This virus has a trigger date of March 6, at which time the virus attempts to overwrite vital areas of the hard disk. Additionally, disk File Allocation Tables (FATs) may be damaged. If this happens and you don't have a backup, recovery will be very tedious and, in most cases, not practical. Backing Up Your System: It is very important that you back up your system, regardless of whether it is infected. To back up your system, boot from a floppy diskette that you know to be non-infected (i.e., you have scanned this diskette with a scanner that detects the Michelangelo virus) and then copy your files to other non- infected diskettes. Detecting the Michelangelo Virus: The best way to detect this virus is to use a virus scanning program that scans boot sector records. Most scanners scan boot records in addition to files, but you should make sure your scanner is doing so. There are several readily-available products whose most recent versions can detect the Michelangelo virus. NIST does not evaluate or endorse anti-viral products nor distribute anti-viral software. While a scanner is recommended, possible existence of the virus can be determined without a scanner by using the standard DOS CHKDSK command. If the virus is resident in a PC, CHKDSK returns 2048 bytes less memory than the uninfected system. On a 640K PC DOS normally returns 655,360 bytes "total bytes memory" on an uninfected system. On an infected system, the value returned is 653,312. This is by no means a conclusive test. If you are attempting to use this method of detecting the virus, the change in memory size should disappear when you boot from a non-infected floppy, i.e., CHKDSK will return the true number of bytes in memory. However, use of an actual virus scanner is recommended. What to do if the Michelangelo Virus is Detected If your scanner program determines that the Michelangelo virus is present, follow the vendor's instructions for removing the virus from your disk's master boot record. If you have used CHKDSK instead of a scanner and CHKDSK indicates that the virus may be present, use a scanner to verify. Before rebooting your system, scan the system again to ensure that your system is clean of all viruses - if your system is still infected with a virus, use your anti-viral software to remove the virus. If your organization has a PC support group, you should consult them and inform them of the problem. It is possible to avoid damage by resetting the system date to something other than March 6; however, this is a poor solution, since the virus would still be present and spreading. It is recommended that you back up your system, scan for the existence of the virus, and remove it. If an infection of this or any other virus is detected, you should also immediately inform your management, PC support, or security officer. The presence of a virus could mean that many other systems in your organization have also been infected. Additional Technical Damage Information: On March 6, the virus will begin to overwrite the disk from which the system has been booted. It will overwrite heads 0-3,tracks 0-255 (if available), sectors 1-9 on a 360 Kb floppy, 1-17 on a hard disk, and 1-14 on everything else (e.g. 1.2 Mbfloppy). The sectors will be overwritten with whatever happens to be at memory address 5000:0000h - probably zeroes. Due to a bug in the virus, when it reaches track 255, it will go back to track 0 and so on ad infinitum. This will cause serious damage to hard disks that store some system information on unused sectors (IDE disks, PS/2s). On all other disks, there is no hope to restore any information, unless the disk contained any partitions that begin after track 255 (in practice this means after the 11 Mb boundary). The information on such partitions (but not the information on the first physical partition) can be restored, but this requires expert help. Additional Detection: The following pattern (found in the Master Boot Record) will also detect the virus: BE00 7C33 FFFC F3A4 2EFF 2E03 7C33 C08E Additional Eradication Information: On some drives, IDE drives in particular, it can be difficult to remove an infection. If you have one of these drives, a fairly simple solution is available. Boot from a MS-DOS 5.0 system diskette and running the undocumented FDISK /MBR. This will get rid of the virus without destroying any data. However, if you don't have DOS 5.O and have experience in using a physical sector editor such as Norton Utilities or PCTools, you can disinfect your hard disk by copying Head 0 Track 0 Sector 7 to Head 0 Track 0 Sector 1. This copies the original Master Boot Record back where it belongs and overwrites the virus in the process. Remember when doing this, however, to be sure to boot from a clean disk before you start. For More Information: For more information about viruses and computer security in general, NIST offers a Bulletin Board System that is open to the general public (the information on the BBS is not available in printed form). To contact the BBS, use a modem and communications software to dial (301) 948-5717 (-5140 for 9600 BPS). For additional information, contact NIST at 301-975-5200.