Memories of the Michelangelo virus

Filed Under: Featured, Malware

MichelangeloOn Tuesday March 6th 2012, it will have been precisely twenty years since the world held its breath, waiting to see if its computers would boot up.

Because March 6th 1992 was day zero for the Great Michelangelo Virus Scare, the first and probably one of the biggest computer virus scares that the world has ever seen.

For days, the world's media had been predicting a digital disaster on March 6th. Anti-virus luminary John McAfee was even being quoted saying that up to five million PCs around the world could be wiped out by the Michelangelo virus.

Michelangelo newspaper report

Just another boot sector virus

Roger RiordanThe Michelangelo virus was first discovered in February 1991 by Australian veteran anti-virus expert Roger Riordan. Riordan, the brains behind VET, a popular anti-virus program down under, probably didn't think that the virus was particularly special.

Michelangelo was a variant of the Stoned boot sector virus, and there was certainly nothing unusual in the way that it spread that suggested it would be any more trouble than any other virus at the time.

You caught Michelangelo by making the mistake of leaving an infected floppy disk in your PC one evening. The following day, you turn your computer on... whirr.. clunk.. tick tick tick.. and your PC attempts to boot off the floppy disk rather than your hard disk.

Only, it didn't succeed. You would see a message normally saying "Non system disk or disk error", and if the floppy disk had a boot sector virus it would copy itself onto your computer hard drive's MBR.

Now every write-enabled floppy that you access on your computer will become infected with the Michelangelo virus. This was how malware would slowly spread in the early days, before computers were networked together and before most people even had email.

In this way, Michelangelo was capable of infecting the boot sector of floppy disks and the partition sector (also known as Master Boot Record or MBR) of PC hard drives.

But Riordan noticed something interesting in the virus's code. He spotted that the virus would trigger a destructive payload when the computer's clock was set to March 6th.

A ticking clock..

IBM PC CompatibleOn March 6th, the virus was programmed to overwrite the first 17 sectors of every track on infected hard disks, heads zero to four. The consequence of this payload was, of course, painful - you would be hard pressed to recover your data if the virus triggered on your PC.

The irony was, of course, that March 6th was probably the one day in which Michelangelo wouldn't spread effectively, as its payload would be wiping itself out alongside your legitimate data.

Boot sector viruses went the way of the dinosaur as floppy disks became less popular (they are almost never seen today), but for a while in the late 1980s and early 1990s they were the most commonly encountered type of malware.

A virus which could wipe your data, in an era when few computers were networked and backups were more of an inconvenient hassle than they are today, was notable.

But what was really to catch the attention of the media, as news of the virus spread over the coming months and the next March 6th loomed, was the name Riordan gave the virus - "Michelangelo".

A virus by any other name..

Riordan chose the name Michelangelo, after discussing the virus with a friend. It so happened that his friend's birthday was March 6th, who commented that he shared a birthday with the great renaissance artist born in 1475. There is no suggestion that whoever wrote the virus chose the date of its data-wiping payload for that reason or intended for the virus to be named after Michelangelo.

It could just have easily been called "Cyrano" after Cyrano de Bergerac, or "Lizzie" after Elizabeth Barrett-Browning, both of whom share the March 6th birthday. Or even Lou Costello of Abbot & Costello fame.

But Michelangelo it was.

Michelangelo creation

Of course, the media loves a good name for a virus. It helps give colour to what could be a dry, dull, technical story. It also means they might be able to get away from simply using photographs of beige computers and add more exciting images instead.

"Michelangelo", "Stuxnet", "Code Red", "Kama Sutra", "Chernobyl", "The Love Bug", "Anna Kournikova".

In some cases these names were given by the researchers who discovered the malware, in others the public and the media came up with their own name because they were so unsatisfied with the one dreamt up by the anti-virus community.

(For instance, Sophos called the "Anna Kournikova" virus VBS/SST-A. Hardly something to set headlines on fire..)

The history of computer malware might therefore be quite different, if we had chosen to give less romantic/dramatic/memorable names to malware.

The stage was now set for a virus scare of huge proportions.

The Michelangelo virus scare

In the weeks running up to March 6th 1992, the media went potty about the Michelangelo virus.

John McAfee claimed that not only was Michelangelo the third most common computer virus, but also his prediction of up to five million PCs being hit on Michelangelo Day was widely repeated.

And why shouldn't McAfee's thoughts be treated seriously - he was, as far as the media were concerned, the USA's leading expert on computer viruses.

"Thousands of PC's could crash Friday" screamed USA Today. "Deadly Virus Set to Wreak Havoc Tomorrow" was a headline in The Washington Post. Meanwhile the Los Angeles Times declared "Paint It Scary!"

CNN even sent a film crew to McAfee's offices, hoping to catch the disaster on camera.

NewsroundI had my own run-in with the media the day before March 6th. "Newsround", a popular British news programme aimed at children, visited the offices of S&S International - the developers of Dr Solomon's Anti-Virus Toolkit - where I was beavering away coding the first Windows version of their security software.

I remember clearly being asked to do some "stunt typing" on a keyboard, so that it could be used in the news report they were going to broadcast later.

I also remember my then boss, Alan Solomon, pooh-poohing the widely reported notion that millions of computers would be struck by Michelangelo. Dr Solomon's opinion was that although the threat was in the wild, it had been massively over-hyped.

For one thing, few of the media reports mentioned that there was a bug in the virus which meant that it would not trigger on many PC XT-class computers

Remember, this was 1992. Many people still hadn't encountered computer viruses, and there were still plenty of people who considered malware (as it wasn't then termed) to be an urban myth and not running anti-virus software on their PCs.

With the established press warning of the imminent virus disaster, it's no surprise to hear that some vendors sold an awful lot of anti-virus software.

You didn't have to pay, of course. There were free solutions also available. Vesselin Bontchev of the University of Hamburg Virus Test Center reported that he received 28 mailbags containing requests for the VTC's free Michelangelo detection and clean-up tool, after it was announced on German TV by the university's Professor Klaus Brunnstein.

And if you were subscribed to the VIRUS-L computer virus mailing list at the time, then you would have seen constant chatter about the Michelangelo virus, tales of sightings, and disclosures of how different firms had accidentally shipped it onto floppy disks to their customers.

For instance, it was revealed that Intel had managed to ship over 800 floppy disks containing its LANSpool software, but also carrying the Michelangelo virus. The firm, which produced its own anti-virus product, was left with egg on its face when it admitted that it hadn't actually been using it at its duplication site.

One of my favourite postings was about the response from McAfee's arch-rival Symantec, who produced a free version of Norton Anti-Virus purely for the detection and eradication of Michelangelo.

Of course, because Michelangelo only exists in the boot areas of drives, it is really very quick to determine if an infection is present or not. *But* would a user feel comfortable if a scan was done in a second or two? Probably not.. so Norton's free Michelangelo killer spent an age pointlessly scanning all of your .EXE and .COM files too..

Virus-L mailing list

March 5th, 1992

From the Washington Post:

COMPUTER USERS SCRAMBLE TO SABOTAGE MICHELANGELO
Deadly Virus Set to Wreak Havoc Tomorrow
By John Burgess and Sandra Sugawara, Washington Post Staff Writers.

Panicky computer users all over the Washington area scrambling to protect their machines before a highly destructive computer "virus" known as Michelangelo strikes tomorrow.

Local software stores reported yesterday that they were selling out of special programs that detect and remove the virus. Callers were swamping hot lines..

March 6th, 1992

The world held its breath.. and nervously booted-up its computers..

March 7th, 1992

..and it turned out there wasn't that much to worry about.

From the Washington Post:

MICHELANGELO PC VIRUS WASN'T QUITE AN EPIDEMIC
By John Burgess and Sandra Sugawara, Washington Post Staff Writers

The 517th birthday of Michelangelo came and went yesterday and the computer world survived... But yesterday it struck only a smattering of homes and businesses in the Unites States and foreign countries.

Computer specialists credited the relatively light damage to heavy-duty publicity about its ability to wipe out all the data stored on a computer.

Many analysts suggested that the publicity had instilled a healthy fear in millions of computer users who had paid no attention to viruses.

At the anti-virus company I was working at we received probably a few dozen reports of computers that had been hit by Michelangelo's payload.

And even then, it wasn't certain that Michelangelo was to blame. After all, anyone who had a computer problem on March 6th 1992, was probably going to blame it on the virus - considering all of the press hype and exposure there had been in the weeks running up to M-Day.

The aftermath

It's true to say that a lot of computers probably had anti-virus software installed on them because of the Michelangelo scare, and it is believed that the scare did some good because of the number of computers which probably had other malware found on them as a result of the panic.

But it *was* panic. And that's rarely a good thing.

Although some tried to argue that the only reason there hadn't been a much larger number of computers hit by Michelangelo's payload was because of the hysterical reporting of the threat, the truth is that the anti-virus industry was damaged. The newspapers turned on the very people who had told them about the risk, and accused them of exploiting fear in order to sell anti-virus software.

The accusation that anti-virus companies deliberately hype up the risk of malware in order to sell more software was one that was not going to go away. Both customers and the media were likely to be more cynical next time a vendor claimed the end of the world as we know it.

And what of the guy who appeared to claim that up to five million PCs might be hit by Michelangelo?

Well, the virus scare certainly did no harm to John McAfee, whose anti-virus company went public in October 1992, raising $42 million in an initial public stock offering. Not bad for a business which at the time just had a couple of dozen employees, and no doubt assisted by the huge public exposure it had received just six months earlier.

And what of the author of Michelangelo? The person who wrote the virus that scared the world? Well, we still don't know who he or she is. Unlike much malware written today, their virus was written without financial incentive - it was mindless in the damage it caused and appears to have been created purely for the author's amusement.

One wonders what fun can be really had from a virus which marks such a key milestone in malware history as Michelangelo, if you can't ever tell anyone that it was you who created it.

, , , ,

You might like

15 Responses to Memories of the Michelangelo virus

  1. Enoch Rufus · 963 days ago

    I seriously wish, somebody (I mean the real person) should turn up and say, at-least in his/her death-bead, "Guys it was me, who wrote that silly boot virus."

  2. John · 963 days ago

    Sorry, but calling the guy who offered $50 for new viruses, just so his scanner could detect more than the competion, a luminary? Ignis fatuus is more like it, imho. Thanks to this guy we went from 800 unique viruses to 10.000 in a few months... Running a BBS in those days I remember it well...

    • Paul Ducklin · 963 days ago

      I can't speak for Graham, so I'll just project my own reading of this choice of word instead :-)

      "irony (noun, pl. ironies):
      the expression of one's meaning by using language which usually signifies the opposite, often for humorous effect."

      I like your metaphorical maneouvre from "luminary" to "ignis fatuus", by the way. Nicely done, if I may say so.

  3. I was in College when this happened. I was also working at the computer labs at the time, and I was "collecting viruses" on floppy disks !!! I had even put a poster for people with infected diskettes to bring them over to me in exchange for a clean one !

    It was a different world at that time. I still remember all the information about existing viruses was a file called VIRLIST.TXT, a text file that accompanied McAffe anti-virus (for MS DOS !!!)

  4. Alan Solomon · 962 days ago

    I do remember this. And I remember telling people that this was being completely over-hyped, and being unsurprised when the media didn't report that.

    As a result of this, and other media stories back then, I don't take much notice now of media scares in fields that I know nothing about (food etc), because why would they be any more accurate?

  5. Hello,

    "John:" McAfee Associates never paid anyone for sending them a computer virus. We would provide a complimentary copy of our software to use in order to clean up a new virus but that was it. We also sent anyone who requested their floppy diskette back a blank one to replace the one they sent in. That often happened with schools, for some reason. End of story.

    Regards,

    Aryeh Goretsky

  6. John · 961 days ago

    Hi Aryeh,

    According to the stream of new threats coming out of Bulgaria after that I guess those guys thought otherwise. But OK, it was 23 years ago...

    Regards,
    John

    • Hello,

      There were quite a few computer viruses written in the rest of the world, too. Eastern Europe just got a lot of attention because it was not viewed by the West as technologically sophisticated in the late 1980s/early 1990s. Plenty of mathematicians and physicists, yes, but it was viewed that there was a technology gap over there. When sophisticated (by then standards) computer viruses appeared, it was certainly noticed by the antivirus developers of the era.

      Regards,

      Aryeh Goretsky

  7. gmdean · 961 days ago

    Its a bit ironic, Sophos running a story with the central issue of manufacturing scares to sell anti virus software! Just look at its recent coverage of apple issues, all designed to try to scare up business for a user community who don't need Sophos products interfering with their user experience & retarding the performance of their machines!:-P

    • Care to point us towards the offending articles?

      I think most Apple users now accept that there is a malware issue on the Mac (albeit not one as big, by some margin, as the one affecting Windows). Even Apple has introduced rudimentary anti-malware protection into recent versions of Mac OS X, which they have regularly issued updates for.

      Oh, and our anti-virus for Mac is free for home users - so it's a little mean to say we're drumming up business! It *costs* us money to keep those users protected. :)

      Cheers
      Graham

  8. Nigel · 960 days ago

    If I think real hard, I can sort of convince myself that maybe I remember hearing something about the Michelangelo virus in 1992. Maybe. I didn't have time to pay attention to the "news". I was working 12-hour days in an engineering firm that was an all-Mac operation (pretty unusual, for that time). Maybe I just ignored it because it didn't threaten the Mac.

    Not that we were smug about viruses. In those days, Mac users weren't as complacent about malware as they eventually became (to their own detriment). Mac users might have had less exposure to malware than their PC counterparts, but most everyone I knew who was a Mac user in those days had an anti-virus application...and used it.

    Anyhow, when OS X came along, the malware threat did diminish for Mac users...for a while. But the days when Mac OS X users could be cavalier about exposure to malware are over. Sophos AV for Mac has found plenty of evidence to prove that since I installed it last year.

  9. Roger Riordan · 818 days ago

    I was interested to read this article, which gives a pretty good account of the history of the Michelangelo virus, as I remember it. One minor criticism is that if you booted from a floppy you were unlikely to see the "Non system disc ..." message, as it was fairly standard practice then, especially in student circles, for all floppies to be formatted as boot discs, so the computer would boot up normally, and you might not even notice that you had booted from a floppy. This point is demonstrated in the second link below.

    I have put an article giving my version of the story of Michelangelo on my personal website at: http://www.corybas.com/index.php?ident=20C5242I

    And the photo of me above is taken from an article published in the Melbourne newspaper The Age, by coincidence the day before my wife Pat died in 2010: http://www.theage.com.au/entertainment/art-and-de...

    And greetings to my old friends!

    Roger Riordan
    rhsr@corybas.com

  10. Bogwitch · 597 days ago

    Michaelangelo was the first piece of malware I ever detected. I was working for a tech manufacturer at the time and the infection was picked up on 5 1/4 floppy disks which had come direct from a video card manufacturer containing the drivers. I can't remember the AV product I was using at the time!
    I can remember the video card manufacturer!

  11. Christine · 597 days ago

    I remember the Michaelangelo virus scare. I was working for a small firm at the time and had already installed anti-virus software on all the machines prior to the scare. I'm also the proud owner of a copy of the disassembly of the virus which, from a technical standpoint, makes fascinating reading.

  12. Ken · 484 days ago

    There was a simple fix for the Michelangelo virus. on March 5th set your computer time to March 7th. Did this on several computers I had responsibility to maintain. However, I had a couple a PC used for program parts and a summation analog functional test system that we forgot to do. Working at a contract manufacturer, the virus came into the company from one of our customers who sent in a floppy to program an eprom. It then got through out the company. We got a virus removal program after that fact and actually removed the virus from all of our PCs. Still I am lookiing for the individual who wrote that crap so I can have a short discussion with him.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.