Frisk Software International - Technical note #3


                       Recovery from Michelangelo

When the Michelangelo virus activates, it overwrites the first 17 sectors
on heads 0-3 on the first 255 tracks of the hard disk.  Recovery from this may
or may not be possible, depending on two factors.

   Time:  If the virus was allowed to run without interruption when it
          activated, it will have overwritten data on every track, making
          recovery much more complicated than if the user hit reset or the
          power-off within seconds of the activation of the virus,

   Size of the disk: As the virus only overwrites 17 sectors, disks with a
          large number of sectors on every track - 32 sectors maybe, will
          have a large part of their data intact. Also, a disk might have
          (or rather, appear to have, from the BIOS' point of view) a large
          number of heads...maybe 64, or more than 255 tracks, but as
          described before, the virus will only destroy data on the first 4
          heads and the first 255 tracks.

The fastest method to recover would probably be to re-partition the disk,
re-format and restore yesterday's backup.  However, as the users who make
backups every day may not be the ones who are most likely to be hit by the
virus, we will assume that no backups exist.

We will also assume that the person trying to restore the data is thoroughly
familiar with partition layouts, disk editors and other similar tools.  In
my personal opinion, the best tool for doing this by hand is NU, version 4.5,
rather than versions 5 and later.

If not - don't try this....send the disk to some professional data recovery
service.

Finally, we will assume this is a "normal" disk - not a "fancy" one like a
HPFS/Stacker/Doublespace volume.

The virus will always have trashed the MBR - head 0, track 0, sector 1, which
needs to be rebuilt - usually by hand, but if one restores the rest first,
a program like NDD should be able to reconstruct it.

The first step is to "map" the disk, and determine the extent of the damage.

As DOS keeps two copies of the FAT, there is a chance that the second one is
intact, but the virus usually trashes the first one.   Locate the second one
(If you don't know what an intact FAT looks like, you probably should not be
doing this anyhow), and if it is OK, just copy it over the first one.

Examine the root directory - if it is OK, fine...if not, then you need to
re-build it by locating other directories on the disk, noting their
starting cluster and re-creating the root directory 

You need to re-construct the DOS boot sector too.  The best way (assuming you
don't have a backup of it) is to copy it from a different machine with 
identical partitioning, but it can also be re-built manually, or in some
cases reconstructed by NDD....however, then you would have to reconstruct the
MBR first...

In other words: Recovering from Micelangelo is not easy, but an attack does
not have to be a complete disaster.


