[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Michelangelo PC Virus Warning

Title: Michelangelo PC Virus Warning
Released by: CERT
Date: 6th February 1992
Printable version: Click here

Hash: SHA1



Last Revised: September 19,1997

                Attached copyright statement

                                CERT Advisory

                              February 6, 1992

                         Michelangelo PC Virus Warning

- ---------------------------------------------------------------------------

The Computer Emergency Response Team/Coordination Center (CERT/CC) has

received information concerning a personal computer virus known as

Michelangelo.  The virus affects IBM PCs and compatibles.  A description

of the virus, along with suggested countermeasures, is presented below.

- ---------------------------------------------------------------------------

I.   Description

     The Michelangelo virus is a computer virus that affects PCs

     running MS-DOS (and PC-DOS, DR-DOS, etc.) versions 2.xx and

     higher.  Note, however, that although the virus can only execute

     on PCs running these versions of DOS, it can infect and damage PC

     hard disks containing other PC operating systems including UNIX,

     OS/2, and Novell.  Thus, booting an infected DOS floppy disk on

     a PC that has, for example, UNIX on the hard disk would infect

     the hard disk and would probably prevent the UNIX disk from

     booting.  The virus infects floppy disk boot sectors and hard

     disk master boot records (MBRs).  When the user boots from an

     infected floppy disk, the virus installs itself in memory and

     infects the partition table of the first hard disk (if found).

     Once the virus is installed, it will infect any floppy disk that

     the user accesses.

     Some possible, though not conclusive, symptoms of the

     Michelangelo virus include a reduction in free/total memory by

     2048 bytes, and some floppy disks that become unusable or display

     "odd" graphic characters during "DIR" commands.  Additionally,

     integrity management products should report that the MBR has been


     Note that the Michelangelo virus does not display any messages on

     the PC screen at any time.

II.  Impact

     The Michelangelo virus triggers on any March 6.  On that date,

     the virus overwrites critical system data, including boot and

     file allocation table (FAT) records, on the boot disk (floppy or

     hard), rendering the disk unusable.  Recovering user data from a

     disk damaged by the Michelangelo virus will be very difficult.

III. Solution 

     Many versions of anti-virus software released after approximately

     October 1991 will detect and/or remove the Michelangelo virus.

     This includes numerous commercial, shareware, and freeware

     software packages.  Since this virus was first detected around

     the middle of 1991 (after March 6, 1991), it is crucial to use

     current versions of these products, particularly those products

     that search systems for known viruses.


     The CERT/CC has not formally reviewed, evaluated, or endorsed any

     of the anti-virus products.  While some older anti-virus products

     may detect this virus, the CERT/CC strongly suggests that sites

     verify with their anti-virus product vendors that their product

     will detect and eradicate the Michelangelo virus.

     The CERT/CC advises that all sites test for the presence of this

     virus before March 6, which is the trigger date.  If an infection

     is discovered, it is essential that the user examine all floppy

     disks that may have come in contact with an infected machine.

     As always, the CERT/CC strongly urges all sites to maintain good

     backup procedures.

- ---------------------------------------------------------------------------

The CERT/CC wishes to thank for their assistance: Mr. Christoph

Fischer of the Micro-BIT Virus Center (Germany), Dr. Klaus Brunnstein

of the Virus Test Center (Germany), Mr. A. Padgett Peterson, P.E., of

the Technical Computing Center at Martin-Marietta Corp., and Mr. Steve

R. White of IBM's Thomas J. Watson Research Center.

- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact CERT/CC or

your representative in FIRST (Forum of Incident Response and Security Teams).

Internet E-mail: cert@cert.org

Telephone: 412-268-7090 (24-hour hotline)

           CERT/CC personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),

           on call for emergencies during other hours.

Computer Emergency Response Team/Coordination Center (CERT/CC)

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890

Past advisories, information about FIRST representatives, and other

information related to computer security are available for anonymous ftp

from cert.org (

- -------------------------------------------------------------------------

Copyright 1992 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.


Revision History:

September 19,1997  Attached Copyright Statement


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.