Mich II Virus

Virus Name: Mich II Aliases: Michelangelo II V Status: Rare Discovered: July, 1993 Symptoms: .COM file growth; TSR; beeping, message, & system hang Origin: United States Eff Length: 924 Bytes Type Code: PRsC - Parasitic Resident .COM Infector Detection Method: ViruScan, F-Prot, AVTK, Sweep, IBMAV, NAV, NAVDX, VAlert, PCScan, ChAV, NShld, NProt, Sweep/N, IBMAV/N, AVTK/N, NAV/N, LProt, Innoc 4.0+ Removal Instructions: Delete infected programs General Comments: The Mich II virus was received in July, 1993, and is from the United States. Mich II is a memory resident infector of .COM programs, but not COMMAND.COM. Its name is derived from the text within the virus which is displayed on Marth 6th of any year. When the first Mich II infected program is executed, this virus will install itself memory resident as a low system memory TSR of 1,488 bytes. It will have hooked interrupts 21 and 2F. Also at this time, the virus will display the following message: "Bad command or file name" Once memory resident, Mich II will infect one .COM file in the target directory each time a DOS DIR command is issued. Infected programs will have a file length increase of 924 bytes with the virus being located at the beginning of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the Mich II viral code: "It is March 6th, time for MICHELANGELO ][ to trigger." "YES! Another one. This virus is brought to you by:" "CRYPT KEEPER. HAVE PHUN" "*.COM COMMAND.COMIBMBIO.COMIBMDOS.COM" "Bad command or file name" On March 6th of any year, when the first infected program is executed without Mich II being memory resident, the first three lines of text strings above are displayed as a message on the system display. This message is accompanied by beeping, and a system hang will also occur.