UNCLASSIFIED 01 OO UUUU DIA WASHINGTON DC//DS-SIM// AIG 7894 AIG 7005 CDRUSAISC FT SHERIDAN IL//ASQNA-SHD-0// NAVWPNCEN CHINA LAKE CA//CODE 2408// SECDEF WASHINGTON DC//C3I-T/C3I-IS/USDP/DSAA/ PHYSICAL SECURITY DIV/DARPA-ITSO/SQUIRES// JOINT STAFF WASHINGTON DC//6JT/DIRM: SCD// AFCSC KELLY AFB TX//SR/SRE/SRM/SRMA// HQ AFIC KELLY AFB TX//INAR// DA WASHINGTON DC//DAMI-AM/DAMI-CIC/SAIS-SS/ JDMSS-W/JDPP-SO// CDRINSCOM FT BELVOIR VA//IAOPS-CI-TO/IAM-AUT-L// CDRUSAOPSGP FT GEORGE G MEADE MD//IAGPC-S// CDR730THMIBN MUNICH GE//IAGPE-SCM// COMNAVINTCOM WASHINGTON DC//OOQ/OOJ// NAVINVSERV ERREG LONDON UK//60HQ// NAVINVSERVRA LONDON UK//60LN// AFOSI DET 7008 MUNICH GE//CC// MICHAEL R. HIGGINS, DS-SIM {202} 373-8852, 4 MAR 92 {DEJ} ROBERT L. AYERS, CHIEF, DS-SIM(DCPO) UNCLASSIFIED UNCLASSIFIED 02 OO UUUU CMC WASHINGTON DC//INTX// USCENTCOM MACDILL AFB FL//J2/J6/SOJ2-SSO/SOJ2-IS// USCINCEUR VAIHINGEN GE//ECJ2/ECJ2-P/ECJ6/ EUCOM AIDES// USCINCLANT NORFOLK VA//J2/J6/J63// USCINCPAC HONOLULU HI//J2I/J6// CINCSAC OFFUTT AFB NE//INSC// USCINCSO QUARRY HEIGHTS PM//J2/J2-ID/J6/ SCJ6-A/SSO// USCINCTRANS SCOTT AFB IL//J2/J6// CINCFOR FT MCPHERSON GA//J2/J6/FCJ6-TPM// USSPACECOM PETERSON AFB CO//J2/J6// USNMR SHAPE BE//DACOS INTEL// NSACSS FT GEORGE G MEADE MD//C912/X43// CDRINSCOM FT BELVOIR VA//IAIM-AUT-L// NAVELEXSECCEN WASHINGTON DC//CODE 04/CODE 043// DCAA CAMERON STATION VA//OWN// CMC WASHINGTON DC//CODE CCIS/INTZ// DIS WASHINGTON DC//V0060// UNCLASSIFIED UNCLASSIFIED 03 OO UUUU DMATSC RESTON VA//IS// DLA CAMERON STATION VA/IA// USUHS BETHESDA MD//UCC// SDIO WASHINGTON DC//POI// NCRLANT NORFOLK VA// DOE LIVERMORE CA//LLNL// COMDT COGARD WASHINGTON DC//G-TPS-4/G-OIN// FTC WRIGHT PATTERSON AFB OH//DXST// HQ DOE WASHINGTON DC//IN-40// CG FIRST MEB//SSO// CG SECOND MAW//G2/SSO// CG THIRD MAW//G2/SSO// FORSCOM AISA FT BRAGG NC CNO WASHINGTON DC//OP941/OP942/OP945/OP943/921// COMSPAWARSYSCOM WASHINGTON DC//PMW161/ PMW162/PD60// CG FMFLANT//G2/G6/ISMO// CDRUSAISC FT HUACHUCA AZ//ASIS-A// UNCLASSIFIED UNCLASSIFIED 04 OO UUUU CDR USACIDC WASHINGTON DC//C1ID-IN-SC// CG FIRST MEF//G-2/ISSO// CDR 751STMIBN PYONGTAEK KOR//IABDK-FS-IMO// MARCORINTCEN QUANTICO VA//MCIC10// HQ AFISA BOLLING AFB DC//INDXS/IVSC/SCX// CJTF FIVE//J64// USSPACECOM NORAD CMAFB COLORADO SPRINGS CO CINCUSNAVEUR LONDON UK//N2/N23/N26/N6/N8/016// CDR 902ND FT GEORGE G MEADE MD//IAGPA-OP-I/ IRGPA-T/IAGPA-A-OP// COMNAVAIRTESTCEN PATUXENT RIVER MD//SYO2B2// HQ AFLC WRIGHT PATTERSON AFB OH//INS// CTJF FOUR/J2 DEA WASHINGTON DC//AIC// PM ASAS MCLEAN VA CDR USARPAC FT SHAFTER HI//APIN-SC// CDR USARSO FT CLAYTON PM//SOIN-CIS// CINCUSAREUR HEIDELBERG GE//AEAGB-CI/AEAGB-CI-S// DIRNSA FT GEORGE G MEADE MD//C91/X411// UNCLASSIFIED UNCLASSIFIED 05 OO UUUU NAVOCEANSYSCEN SAN DIEGO CA//422// EW MGT DIR ROBINS AFB GA//LNN// MAC INTEL CEN SCOTT AFB IL//IND// CDRAMC ALEXANDRIA VA//AMCMI-C// AUCADRE MAXWELL AFB AL//WGOI// FOSIF ROTA SP NAVELECENG SUPACT PHILADELPHIA PA NAVELECSYSENGACT PORTSMOUTH VA 3480TCHTW GOODFELLOW AFB TX//TTOZ// CDR USAIA WASHINGTON DC//ZS// DIS HQS DIR INDUST SEC WASHINGTON DC UNCLAS PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER (ISSO), SPECIAL SECURITY OFFICER (SSO), INFORMATION RESOURCE MANAGER (IRM) AND AUTOMATED DATA PROCESSOR (ADP) COORDINATORS. SUBJ: MICHELANGELO PC VIRUS WARNING U-1,086/DS-SIM 1. NUMEROUS WARNINGS HAVE BEEN POSTED IN THE PAST WEEKS REGARDING THE VIRUS MICHELANGELO, INCLUDING A PREVIOUS ASSIST UNCLASSIFIED UNCLASSIFIED 06 OO UUUU MESSAGE 92-1. THE UNIQUENESS OF THE MICHELANGELO VIRUS IS IT'S ABILITY TO INFILTRATE THE MANUFACTURING PROCESS. MOST MAJOR REPORTS OF THE MICHELANGELO VIRUS ARE COMING FROM SOFTWARE VENDORS WHO ARE INADVERTENTLY SHIPPING SHRINK WRAPPED SOFTWARE CONTAMINATED BY MICHELANGELO. HOWEVER, MICHELANGELO SHOULD NOT BE VIEWED AS SOME ISOLATED INCIDENT AFTER WHICH THE GUARD CAN BE LET DOWN. THE JERUSALEM, OR FRIDAY THE 13TH, VIRUS IS SET ONCE AGAIN TO EXECUTE ON FRIDAY MARCH 13TH. THE ENVIRONMENT WE WORK IN HAS VIRUSES OF ALL SHAPES, COLORS AND SIZES AND ONLY VIGILANCE ON THE PART OF EACH INDIVIDUAL USER WILL PRECLUDE THE LOSS OF CRITICAL INFORMATION TO A COMPUTER VIRUS. 2. MICHELANGELO IS, BY MOST ACCOUNTS, SPREADING PREDOMINATELY THROUGH VENDOR DIRECT SHRINK WRAP SOFTWARE. ALL NEW DISKETTES MUST BE CONSIDERED A THREAT TO YOUR COMPUTER PROCESSOR. AS SUCH, EACH DISKETTE MUST BE SCANNED WITH THE LATEST SCANNING SOFTWARE AVAILABLE AT YOUR SITE UPON IT'S INTRODUCTION INTO YOUR PROCESSOR. 3. MICHELANGELO IS A BOOT-INFECTOR COMPUTER VIRUS THAT AFFECTS PC'S RUNNING DOS (MS-DOS, PC-DOS, DR-DOS,ETC). THE VIRUS CAN UNCLASSIFIED UNCLASSIFIED 07 OO UUUU ALSO INFECT AND DO DAMAGE TO MACHINES RUNNING OTHER TYPES OF OPERATING SYSTEMS (UNIX, OS/2, NOVELL, ETC), BUT WILL NOT SPREAD IN THESE ENVIRONMENTS. THE VIRUS EXECUTES ON ANY MARCH 6TH AND OVERWRITES CRITICAL SYSTEM DATA, INCLUDING BOOT AND FILE ALLOCATION TABLE RECORDS ON THE HARD DISK. DATA THAT IS NOT OVERWRITTEN COULD BE RECOVERED WITH SOME OF THE ADVANCED UTILITIES ON THE MARKET, BUT THIS WOULD BE A DIFFICULT AND TIME CONSUMING PROCESS. 4. THE VIRUS CAN BE DETECTED WHEN RESIDENT IN A PC BY VIEWING THE CHKDSK "TOTAL BYTES MEMORY" DOS PROGRAM. A 640K PC WOULD NORMALLY RETURN 655,360 TOTAL BYTES MEMORY. IF CHKDSK RETURNS A VALUE OF 653,312 (2048 LOWER THAN NORMAL), THE PC COULD BE INFECTED WITH MICHELANGELO. THERE ARE ALSO NUMEROUS VIRUS DETECTION/PREVENTION SOFTWARE PACKAGES ON THE MARKET THAT WILL DETECT AND ERADICATE MICHELANGELO. IF YOU ARE NOT SURE THAT THE CURRENT VERSION OF YOUR VIRUS SCANNING SOFTWARE DETECTS MICHELANGELO, CALL THE VENDOR. 5. IF THE VIRUS IS FOUND ON A DODIIS COMPUTER PROCESSOR, THE MALICIOUS CODE SHOULD BE REMOVED BY A LOW LEVEL FORMAT AND ALL UNCLASSIFIED UNCLASSIFIED 08 OO UUUU FLOPPY DISKETTES AND OTHER SYSTEMS IN THE AREA SCANNED. OUTSIDE OF THE DODIIS ENVIRONMENT AND BASED UPON LOCAL COMPUSEC GUIDANCE THE MALICIOUS CODE MAY BE REMOVED USING A COMMERCIAL CLEAN-UP PROGRAM SUCH AS MACAFEE CLEAN OR THE NORTON ANTIVIRUS. 6. IF ON THE 6TH OF MARCH THE VIRUS EXECUTES ON A CONTAMINATED PC, THE RECOVERY FOR THAT COMPUTER IS A LOW LEVEL FORMAT AND RESTORATION OF FILES FROM TRUSTED BACKUPS. 7. ASSIST REQUESTS IMMEDIATE NOTIFICATION OF MICHELANGELO CONTAMINATIONS IN ANY DOD SYSTEMS. ASSIST CAN BE REACHED 24 HOURS A DAY AT THE NUMBERS BELOW. 8. AS A REMINDER VIRUS PREVENTION/DETECTION IS A CONTINUING PROCESS. FRIDAY THE 13TH WILL OCCUR ONE WEEK AFTER MICHELANGELO STRIKES AND IS THE KNOWN ACTIVATION DATE FOR SEVERAL VIRUSES, INCLUDING ISRAELINO1, SURIV-3.00 AND JERUSALEM. THE JERUSALEM VIRUS ATTACHES ITSELF TO THE BEGINNING OF A COM FILE OR THE END OF AN EXE FILE. WHEN AN INFECTED FILE IS EXECUTED, THE VIRUS BECOMES MEMORY RESIDENT AND INFECTS ANY COM OR EXE PROGRAM THAT IS RUN. THE VIRUS FINDS THE END OF EXE FILES FROM THE INFORMATION IN THE FILE HEADER, AND IF THIS IS LESS THAN THE UNCLASSIFIED UNCLASSIFIED 09 09 OO UUUU ACTUAL FILE LENGTH, THE VIRUS WILL OVERWRITE PART OF THE FILE. AFTER THE SYSTEM HAS BEEN INFECTED FOR 30 MINUTES, ROW 5 COLUMN 5 TO ROW 16 COLUMN 16 ON THE SCREEN ARE SCROLLED UP 2 LINES, CREATING A "BLACK WINDOW." THE SYSTEM THEN SLOWS DOWN DUE TO A TIME WASTING LOOP INSTALLED ON EACH TIMER INTERRUPT. EVERY PROGRAM WILL BE DELETED FROM AN INFECTED SYSTEM ON THE 13TH DAY OF ANY MONTH THAT IS ALSO A FRIDAY. 9. POINT OF CONTACT: ASSIST POINT OF CONTACT FOR THIS MATTER IS MIKE HIGGINS, COMM {202} 373-8852/55 OR DSN 243-8852/55. ASSIST CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER {800} SKY-PAGE, PIN NUMBER 2133937 {FROM A TOUCH TONE PHONE ENTER THE CALL BACK NUMBER AFTER THE PROMPT} OR DIAL DSN 243-8000 AND ASK TO HAVE THE ASSIST DUTY OFFICER PAGED. UNCLASSIFIED