Virus Profile: Michelangelo

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 4/1/1991
Date Added: 4/15/1991
Origin: Sweden or The Netherlands
Length: 512 Bytes
Type: Virus
Subtype: Boot
DAT Required: 4002
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Michelangelo is triggered on March 6. The payload on this date is a reformat of the system hard disk by overwriting any data with random characters. This occurs in the first 17 sectors of the first 4 sides of the first 250 cylinders, or approximately 8 MB.

Total system and available free memory, as measured by the DOS CHKDSK program, typically decreases by 2,048 bytes.

Methods of Infection

The only way to infect a computer with an MBR/Boot Sector infector is to attempt to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred.

Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.


Stoned.Michelangelo, Stoned.Michelangelo.A

Virus Characteristics

Michelangelo is a memory resident, Master Boot Record (MBR)/Boot Sector infecting virus. It is based on the Stoned virus, though very different in its behavior.

Upon infection, the Michelangelo virus becomes memory resident at the top of system memory but below the 640K DOS boundary. Interrupt 12's return is moved to insure that Michelangelo is not overwritten in memory. The original MBR is moved to Side 0, Cylinder 0, Sector 7 on the hard disk.

Once Michelangelo is memory resident, it infects diskette boot sectors as they are accessed. It also infects the hard disk's MBR when the user attempts to access a file on the hard disk.

On 360K 5.25" diskettes, the original boot sector is moved by the virus to sector 11, the last sector in the root directory. On 1.2M 5.25" diskettes, the original boot sector is relocated to sector 28, part of the root directory. Since the original boot sector now resides in the root directory, any entries which were in the overwritten sector of the root directory are lost.


Variants information
Virus Name Type Subtype Differences
Michelangelo.A Virus Boot
Michelangelo.B Virus Boot
Michelangelo.C Virus Boot
Michelangelo.D Virus Boot
Michelangelo.E Virus Boot
Michelangelo.S Virus Boot

Windows 95/98:
Note for Windows 9x systems - during the boot process a Windows95 created boot disk will access the hard drive for information. Because of this an image of the virus may be in memory but not active.

To remove the virus, follow the following steps:
- If you use the McAfee emergency disk, hit F8 at the starting Windows 95 message, and select Step-by-step Configuration. Say yes to everything except processing the autoexec.bat file.
- At the a:, type

Windows NT/2000:
Shut down the PC and turn the power off. Obtain or create a virus free boot disk and scan disk. After booting, at the A:\ prompt, execute the following command:
BOOTSCAN C: /boot /clean

Once the virus has been removed, remove all floppy diskettes from the computer and reboot from the hard drive.

This will also clean an NTFS Master Boot Record and allow Windows NT to successfully reboot from the hard disk drive. VirusScan for DOS will not be able to read the rest of the NTFS partition. After starting Windows, execute VirusScan or NetShield to detect and clean Windows NT file infections which may exist.


PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!