|
Warning about the Michaelangelo virus
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
The following Virus Alert Message, received through Internet, is provided
for your information. Please read and heed---the computer you save may be
your own!
Sysop, Form Shelf BBS, HQ AFSC/IMQS, Andrews AFB, DC 20334
BBS: 301-981-3663 (300---> 9600 bps/24 hrs daily)
START OF QUOTED MESSAGE
(PERSONAL IDENTIFYING INFO DELETED)
I N T E R O F F I C E M E M O R A N D U M
Date: 17-Jan-1992 02:23pm EST
From: WINS%"<padgett%tccslr.dnet@mmc
Subject: WARNING - Michelangelo Virus (PC)
Return-Path: <[email protected]>
Received: from IBM1.CC.Lehigh.EDU by hqafsc-vax.af.mil with SMTP ;
Fri, 17 Jan 92 14:16:49 EST
Sender: Virus Alert List <[email protected]>
From: "A. Padgett Peterson" <padgett%[email protected]>
Subject: WARNING - Michelangelo Virus (PC)
To: Multiple recipients of list VALERT-L <VALERT-L@LEHIIBM1>
From all reports this destructive virus is spreading worldwide very
rapidly. Unlike the DataCrime "fizzle" in 1989 which contained similar
destructive capability but never spread, the Michelangelo appears to
have become "common" in just ten months following detection. I have
encountered three cases locally in just the last few weeks.
Three factors make this virus particularly dangerous:
1) The virus uses similar techniques as the "STONED" virus which
while first identifies in early 1988 remains the most common virus
currently reported. Since the virus infects only the Master Boot Record
on hard disks and the boot record of floppy disks, viral detection
techniques that rely on alteration of DOS executable files will not
detect the virus. Similarly, techniques that monitor the status of the
MBR may only provide users with a single warning that, if execution is
permitted to continue, may not be repeated.
2) Michelangelo was first discovered in Europe in mid-1991
consequently many virus scanners in use today will not pick up the virus
unless more recent updates have been obtained.
3) Unlike the Stoned and Jerusalem (the most common viruses in the
past) which are more annoying than dangerous, the Michelangelo
virus will, on its trigger date of March 6th, attempt to overwrite vital
areas of the hard disk rendering it unreadable by DOS. Further,
since the FATs (file allocation tables) may be damaged , unless
backups are available recovery will be very difficult and require
someone who is able to rebuild a corrupt FAT (also a very
time-consuming process).
Fortunately, the Michelangelo virus is also very easy to detect: when
resident in a PC, the CHKDSK (included with MS-DOS (Microsoft), PC-DOS
(IBM), and DR-DOS (Digital Research) {all names are registered by
their owners}) program will return a "total bytes memory" value 2048
bytes lower than normal. This means that a 640k PC which normally
returns 655,360 "total bytes memory" will report 653,312. While a
low value will not necessarily mean that Michelangelo or any other
virus is present, the PC should be examined by someone familiar with viral
activity to determine the reason.
If the Michelangelo virus is found, the PC should be turned off until
disinfected properly. All floppy disks and other machines in the
area should then also be examined since the Michelangelo virus is
spread in the boot record (executable area found on all floppy disks
including data-only disks).
Padgett Peterson Internet: padgett%[email protected]
Note: the opinions expressed are my own and not necessarily those of my
employer. Comments refer only to the specific example of the virus that
I have examined. Other strains may exist.
END OF QUOTED MESSAGE
This alert notice provided as a public service of the Form Shelf BBS.
|
|
