


Date:  03-Mar-92 12:22 PST
From:  Darrell Porter [76244,3364]
Subj:  Michaelangelo Report

Technical Support, Consumer Loan Division
Virus Experimentation Project #43
Michaelangelo Virus Infecting LAN File Servers
 Darrell Porter


Purpose
Section One




The purpose of this experiment is to determine what kinds of effects the
Michaelangelo virus has when it is contained within the boot sector of a Novell
file server.  This is of significant importance because of the number of Novell
networks which the bank owns.  This experiment was done in conjunction with
Pacific Systems Integration, without whom this project would not have been
completed until long after April.



Background
Section Two


The Michaelangelo virus was first reported in April, 1991 in Sweden and the
Netherlands.  The first usable sample of the virus was actually received by the
National Computer Security Association (NCSA) in June 1991.
The Michaelangelo virus is a memory resident infector of diskette boot sectors
and hard disk partition tables.  It is roughly based on the STONED (No-INT)
virus, though very different in its behavior.
The Michaelangelo virus becomes memory resident the first time the system is
booted with a Michaelangelo virus infected disk.  Regardless of whether this
boot is successful, the Michaelangelo virus will become memory resident.  Total
system and available free memory, as measured by the DOS CHKDSK program will
typically decrease by 2,048 bytes.  The Michaelangelo virus will be resident at
the top of system memory but below the 640k DOS boundary.  Interrupt 12's retur
n
will be moved to insure that the Michaelangelo virus in memory is not
overwritten.
Once the Michaelangelo virus is memory resident, it will infect diskette boot
sectors of diskettes as they are accessed.1
The Michaelangelo virus activates if booted on March 6, at which time it will
erase heads 0-3, cylinders 0-255, sectors 1-9 of the hard disk.  Since the
erased area also includes the system area of the hard disk, the hard disk will
no longer boot and will need to be FDISK'ed and FORMAT'ed, a process which will
make the drive usable again.  If you desperately need the information off of th
e
drive (less the first 9 megabytes), you can take it to a data recovery
specialist.2
The strain of the Michaelangelo virus used in this experiment was provided by
Pacific Systems Integration for the expressed purposes of this test.


Criteria
Section Three


The experimental situations are comprised of four scenarios.

Scenario 1: Netware 2.2 Non-Dedicated

        Compaq Deskpro 386-25
        Future Domain SCSI Controller
        Maxtor 600 Mb SCSI drive
                First 100 cylinders set aside for DOS
        Novell Netware 2.2
                Non-Dedicated
                No core printing services
        Compaq DOS 3.31

Scenario 2:  Netware 2.2 Dedicated

        Compaq Deskpro 386-25
        Future Domain SCSI Controller
        Maxtor 600 Mb SCSI drive
                First 100 cylinders set aside for DOS
        Novell Netware 2.2
                Dedicated
                No Core printing services
        Compaq DOS 3.31

Scenario 3: Netware 3.11, DOS resident

        Compaq Deskpro 386-25
        Future Domain SCSI Controller
        Maxtor 600 Mb SCSI drive
                Boots from 10 Mb DOS partition
        Novell Netware 3.11
        Compaq DOS 3.31


Scenario 4:  Netware 3.11, DOS removed

        Compaq Deskpro 386-25
        Future Domain SCSI Controller
        Maxtor 600 Mb SCSI drive
                Boots from 10 Mb DOS partition
        Novell Netware 3.11
        Compaq DOS 3.31

Two identical machines (Machine 1, s/n 4851AR6B1429; Machine 2, s/n
4851AR6B1448) were set up and tested to verify that the installation of the
Netware was correct.  The machines were run side by side for 1 week prior to
beginning of experiment.  In each case, the machines were downed and brought
back up as simultaneously as was humanly possible.


Scenario 1
Section Four


A file server was generated using Novell Netware 2.2 100-user.  The first 100
cylinders of the hard disk was set aside for use by DOS (using the FDISK utilit
y
from DOS 3.31).  The DOS version used on the file server and during the
generation of the file server was Compaq DOS 3.31.  All aspects of the
installation were normal and no problems were encountered.  A 3-COM 3C507
(Etherlink-16 IEEE 802.3) LAN interface card was used on a bus-topology Etherne
t
LAN with 10 workstations running various applications.  File server was given
gradually increased load over several days to insure correct configuration.  23
hours and 12 minutes after experiment initiation, the hard drive in #1
experience catastrophic failure due to unknown hardware-related problems.  The
hard drive and controller were replaced with identical configuration.  #1 was
reloaded and tested.  After proper function was determined, both file servers
were brought down and reinitialized.
After 200 hours of normal, un-interrupted operation, #1 and #2 were brought
down.
#1 was booted with an un-infected copy of Compaq DOS 3.31 with CHKDSK.EXE.
 CHKDSK reported 655,360 total bytes of memory.
#2 was booted with an infected3 copy of Compaq DOS 3.31 with CHKDSK.EXE.  CHKDS
K
reported 653,312 total bytes of memory.
Both machines were warm-booted.  A write-protected, known clean copy of the
McAfee SCAN version 85 was used on both machines.  No viruses were detected on
#1.  Michaelangelo was detected on #2.
The machines were brought on-line as file servers.  No detectable differences i
n
performance were noted.  Both machines were utilized for 100 hours of
un-interrupted use.
The file server time was set to March 6, 1992 using the Novell FCONSOLE utility
.
 No changes were noted.  File servers were brought down after 12 hours of
operation.
Using Compaq Diagnostics version 7.08, the CMOS clocks were set to March 6,
1992.  Both machines were powered up.  #1 came up normally.  #2 left a blinking
cursor on the screen and great amounts of hard disk activity was noticed.  #1
was brought up as a file server and continued normal operation.  #2 seemed to b
e
locked.  Subsequent attempts to boot #2 failed.  Both machines were powered off
and the hard drive and controller from #1 were installed in #2.  #2 immediately
came up.  The controller and drive from #2 was installed in #1.  #1 would not
come up.  The drives and controllers were returned to their original machines.
 #2's hard disk seemed to have been written to with random data.  This is an
indication that the Michaelangelo virus had been activated upon boot up as
opposed to activation upon date change.
#1 and #2 were erased to a stock Compaq DOS 3.31 configuration.



Scenario 2
Section Five


A file server was generated using Novell Netware 2.2 100-user.  The first 100
cylinders of the hard disk was set aside for use by DOS (using the FDISK utilit
y
from DOS 3.31).  The DOS version used on the file server and during the
generation of the file server was Compaq DOS 3.31.  All aspects of the
installation were normal and no problems were encountered.  A 3-COM 3C507
(Etherlink-16 IEEE 802.3) LAN interface card was used on a bus-topology Etherne
t
LAN with 10 workstations running various applications.  File server was given
gradually increased load over several days to insure correct configuration.
 After 200 hours of normal, un-interrupted operation, #1 and #2 were brought
down.
#1 was booted with an infected4 copy of Compaq DOS 3.31 with CHKDSK.EXE.  CHKDS
K
reported 653,312 total bytes of memory.
#2 was booted with an un-infected copy of Compaq DOS 3.31 with CHKDSK.EXE.
 CHKDSK reported 655,360 total bytes of memory.
Both machines were warm-booted.  A write-protected, known clean copy of the
McAfee SCAN version 85 was used on both machines.  No viruses were detected on
#2.  Michaelangelo was detected on #1.
The machines were brought on-line as file servers.  No detectable differences i
n
performance were noted.  Both machines were utilized for 100 hours of
un-interrupted use.
The file server time was set to March 6, 1992 using the Novell FCONSOLE utility
.
 No changes were noted.  File servers were brought down after 12 hours of
operation.
Using Compaq Diagnostics version 7.08, the CMOS clocks were set to March 6,
1992.  Both machines were powered up.  #2 came up normally.  #1 left a blinking
cursor on the screen and great amounts of hard disk activity was noticed.  #2
was brought up as a file server and continued normal operation.  #1 seemed to b
e
locked.  Subsequent attempts to boot #1 failed.  Both machines were powered off
and the hard drive and controller from #2 were installed in #1.  #1 immediately
came up.  The controller and drive from #1 was installed in #2.  #2 would not
come up.  The drives and controllers were returned to their original machines.
 #1's hard disk seemed to have been written to with random data.  This is an
indication that the Michaelangelo virus had been activated upon boot up as
opposed to activation upon date change.
#1 and #2 were erased to a stock Compaq DOS 3.31 configuration.


Scenario 3
Section Six


Novell Netware 3.11 was installed on #1 and #2.  The AUTOEXEC.BAT was set-up in
such a way as the file server is brought up automatically upon power-on.
 Network load was gradually increased over a period of 24 hours.  Both file
servers were operational for 120 hours of continuous use.  Both machines were
brought to DOS and shut down.
#1 was booted with an un-infected copy of Compaq DOS 3.31 with CHKDSK.EXE.
 CHKDSK reported 655,360 total bytes of memory.
#2 was booted with an infected5 copy of Compaq DOS 3.31 with CHKDSK.EXE.  CHKDS
K
reported 653,312 total bytes of memory.
Both machines were warm-booted.  A write-protected, known clean copy of the
McAfee SCAN version 85 was used on both machines.  No viruses were detected on
#1.  Michaelangelo was detected on #2.
The machines were brought on-line as file servers.  No detectable differences i
n
performance were noted.  Both machines were utilized for 100 hours of
un-interrupted use.
Using Compaq Diagnostics version 7.08, the CMOS clocks were set to March 6,
1992.  Both machines were powered up.  #1 came up normally.  #2 left a blinking
cursor on the screen and great amounts of hard disk activity was noticed.  #1
was brought up as a file server and continued normal operation.  #2 seemed to b
e
locked.  Subsequent attempts to boot #2 failed.  Both machines were powered off
and the hard drive and controller from #1 were installed in #2.  #2 immediately
came up.  The controller and drive from #2 was installed in #1.  #1 would not
come up.  The drives and controllers were returned to their original machines.
 #2's hard disk seemed to have been written to with random data.  This is an
indication that the Michaelangelo virus had been activated upon boot up as
opposed to activation upon date change.
#1 and #2 were erased to a stock Compaq DOS 3.31 configuration.


Scenario 4
Section Seven


Novell Netware 3.11 was installed on #1 and #2.  The AUTOEXEC.BAT was set-up in
such a way as the file server is brought up automatically upon power-on.  DOS i
s
removed via AUTOEXEC.NCF.  Network load was gradually increased over a period o
f
24 hours.  Both file servers were operational for 120 hours of continuous use.
 Both machines were brought to DOS and shut down.
#1 was booted with an un-infected copy of Compaq DOS 3.31 with CHKDSK.EXE.
 CHKDSK reported 655,360 total bytes of memory.
#2 was booted with an infected6 copy of Compaq DOS 3.31 with CHKDSK.EXE.  CHKDS
K
reported 653,312 total bytes of memory.
Both machines were warm-booted.  A write-protected, known clean copy of the
McAfee SCAN version 85 was used on both machines.  No viruses were detected on
#1.  Michaelangelo was detected on #2.
The machines were brought on-line as file servers.  No detectable differences i
n
performance were noted.  Both machines were utilized for 100 hours of
un-interrupted use.
Using Compaq Diagnostics version 7.08, the CMOS clocks were set to March 6,
1992.  Both machines were powered up.  #1 came up normally.  #2 left a blinking
cursor on the screen and great amounts of hard disk activity was noticed.  #1
was brought up as a file server and continued normal operation.  #2 seemed to b
e
locked.  Subsequent attempts to boot #2 failed.  Both machines were powered off
and the hard drive and controller from #1 were installed in #2.  #2 immediately
came up.  The controller and drive from #2 was installed in #1.  #1 would not
come up.  The drives and controllers were returned to their original machines.
 #2's hard disk seemed to have been written to with random data.  This is an
indication that the Michaelangelo virus had been activated upon boot up as
opposed to activation upon date change.
#1 and #2 were erased to a stock Compaq DOS 3.31 configuration.


Conclusion
Section Eight


Although Michaelangelo is a rather malignant and destructive virus, it is rathe
r
limited in its destructive capabilities in that the machine on which it resides
must be powered on when the system clock is set to March 6, 1992.  If a machine
does become damaged by the virus, data recovery is difficult, if not impossible
.
The best strategy to minimize virus-induced damage in systems is to have a
functional anti-virus policy and system backup policy in place such that
critical data is always backed up on a nightly (if not more often) basis and
that the virus detection/removal software is kept up-to-date.
If a file server is suspected of being infected with the virus, it should be
downed (hopefully during off-peak times) and scanned for viruses.  Due to their
technical support and telephone, fax, CIS and InterNet availability, the author
recommends the McAfee7 line of anti-viral software.
It should be noted that 2.X file servers which boot directly to Novell using th
e
Novell Cold Boot loader will immediately not function if infected with a boot
block virus.  Most Netware 3.11 installations we have done work on have had
bootable DOS partitions.  There is also a growing number of LAN administrators
who, for one reason or another, want a bootable DOS partition on the 2.X file
server, even though it is highly recommended by Novell not to have a bootable
partition.

References:
1 Patricia Hoffman's Virus Information Summary List; Copyright (C) 1991 by
  Patricia Hoffman.  All rights reserved.  3333 Bowers Avenue Suite 130, Santa
  Clara, CA  95054
2 Common Questions and Answers about the Michaelangelo Virus by Aryeh Goretsky;
  Copyright (C) 1992 by Aryeh Goretsky.  All rights reserved. Phone (408) 988-3
832

3 Boot block was infected with Michaelangelo virus, strain 0.
4 Boot block was infected with Michaelangelo virus, strain 0.
5 Boot block was infected with Michaelangelo virus, strain 0.
6 Boot block was infected with Michaelangelo virus, strain 0.
7 McAfee and Associates can be reached in North America at      1-408-988-3832
