**************************************************************************
Security Bulletin 9204 DISA Defense Communications System
February 10, 1992 Published by: DDN Security Coordination Center
(
[email protected]) 1-(800) 365-3642
DEFENSE DATA NETWORK
SECURITY BULLETIN
The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security
Coordination Center) under DISA contract as a means of communicating
information on network and host security exposures, fixes, and concerns
to security and management personnel at DDN facilities. Back issues may
be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5]
using login="anonymous" and password="guest". The bulletin pathname is
scc/ddn-security-yynn (where "yy" is the year the bulletin is issued
and "nn" is a bulletin number, e.g. scc/ddn-security-9204).
**************************************************************************
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
! !
! The following important advisory was issued by the Computer !
! Emergency Response Team (CERT) and is being relayed unedited !
! via the Defense Information Systems Agency's Security !
! Coordination Center distribution system as a means of !
! providing DDN subscribers with useful security information. !
! !
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
===========================================================================
CA-92:02 CERT Advisory
February 6, 1992
Michelangelo PC Virus Warning
---------------------------------------------------------------------------
The Computer Emergency Response Team/Coordination Center (CERT/CC) has
received information concerning a personal computer virus known as
Michelangelo. The virus affects IBM PCs and compatibles. A description
of the virus, along with suggested countermeasures, is presented below.
---------------------------------------------------------------------------
I. Description
The Michelangelo virus is a computer virus that affects PCs
running MS-DOS (and PC-DOS, DR-DOS, etc.) versions 2.xx and
higher. Note, however, that although the virus can only execute
on PCs running these versions of DOS, it can infect and damage PC
hard disks containing other PC operating systems including UNIX,
OS/2, and Novell. Thus, booting an infected DOS floppy disk on
a PC that has, for example, UNIX on the hard disk would infect
the hard disk and would probably prevent the UNIX disk from
booting. The virus infects floppy disk boot sectors and hard
disk master boot records (MBRs). When the user boots from an
infected floppy disk, the virus installs itself in memory and
infects the partition table of the first hard disk (if found).
Once the virus is installed, it will infect any floppy disk that
the user accesses.
Some possible, though not conclusive, symptoms of the
Michelangelo virus include a reduction in free/total memory by
2048 bytes, and some floppy disks that become unusable or display
"odd" graphic characters during "DIR" commands. Additionally,
integrity management products should report that the MBR has been
altered.
Note that the Michelangelo virus does not display any messages on
the PC screen at any time.
II. Impact
The Michelangelo virus triggers on any March 6. On that date,
the virus overwrites critical system data, including boot and
file allocation table (FAT) records, on the boot disk (floppy or
hard), rendering the disk unusable. Recovering user data from a
disk damaged by the Michelangelo virus will be very difficult.
III. Solution
Many versions of anti-virus software released after approximately
October 1991 will detect and/or remove the Michelangelo virus.
This includes numerous commercial, shareware, and freeware
software packages. Since this virus was first detected around
the middle of 1991 (after March 6, 1991), it is crucial to use
current versions of these products, particularly those products
that search systems for known viruses.
The CERT/CC has not formally reviewed, evaluated, or endorsed any
of the anti-virus products. While some older anti-virus products
may detect this virus, the CERT/CC strongly suggests that sites
verify with their anti-virus product vendors that their product
will detect and eradicate the Michelangelo virus.
The CERT/CC advises that all sites test for the presence of this
virus before March 6, which is the trigger date. If an infection
is discovered, it is essential that the user examine all floppy
disks that may have come in contact with an infected machine.
As always, the CERT/CC strongly urges all sites to maintain good
backup procedures.
---------------------------------------------------------------------------
The CERT/CC wishes to thank for their assistance: Mr. Christoph
Fischer of the Micro-BIT Virus Center (Germany), Dr. Klaus Brunnstein
of the Virus Test Center (Germany), Mr. A. Padgett Peterson, P.E., of
the Technical Computing Center at Martin-Marietta Corp., and Mr. Steve
R. White of IBM's Thomas J. Watson Research Center.
---------------------------------------------------------------------------
If you believe that your system has been compromised, contact CERT/CC or
your representative in FIRST (Forum of Incident Response and Security Teams).
Internet E-mail:
[email protected]
Telephone: 412-268-7090 (24-hour hotline)
CERT/CC personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
on call for emergencies during other hours.
Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
Past advisories, information about FIRST representatives, and other
information related to computer security are available for anonymous ftp
from cert.sei.cmu.edu (192.88.209.5).
Downloaded From P-80 International Information Systems 304-744-2253
