Memories of the Michelangelo virus


MichelangeloOn Tuesday March 6th 2012, it will have been precisely twenty years since the world held its breath, waiting to see if its computers would boot up.

Because March 6th 1992 was day zero for the Great Michelangelo Virus Scare, the first and probably one of the biggest computer virus scares that the world has ever seen.

For days, the world’s media had been predicting a digital disaster on March 6th. Anti-virus luminary John McAfee was even being quoted saying that up to five million PCs around the world could be wiped out by the Michelangelo virus.

Michelangelo newspaper report

Just another boot sector virus

Roger RiordanThe Michelangelo virus was first discovered in February 1991 by Australian veteran anti-virus expert Roger Riordan. Riordan, the brains behind VET, a popular anti-virus program down under, probably didn’t think that the virus was particularly special.

Michelangelo was a variant of the Stoned boot sector virus, and there was certainly nothing unusual in the way that it spread that suggested it would be any more trouble than any other virus at the time.

You caught Michelangelo by making the mistake of leaving an infected floppy disk in your PC one evening. The following day, you turn your computer on… whirr.. clunk.. tick tick tick.. and your PC attempts to boot off the floppy disk rather than your hard disk.

Only, it didn’t succeed. You would see a message normally saying "Non system disk or disk error", and if the floppy disk had a boot sector virus it would copy itself onto your computer hard drive’s MBR.

Now every write-enabled floppy that you access on your computer will become infected with the Michelangelo virus. This was how malware would slowly spread in the early days, before computers were networked together and before most people even had email.

In this way, Michelangelo was capable of infecting the boot sector of floppy disks and the partition sector (also known as Master Boot Record or MBR) of PC hard drives.

But Riordan noticed something interesting in the virus’s code. He spotted that the virus would trigger a destructive payload when the computer’s clock was set to March 6th.

A ticking clock..

IBM PC CompatibleOn March 6th, the virus was programmed to overwrite the first 17 sectors of every track on infected hard disks, heads zero to four. The consequence of this payload was, of course, painful – you would be hard pressed to recover your data if the virus triggered on your PC.

The irony was, of course, that March 6th was probably the one day in which Michelangelo wouldn’t spread effectively, as its payload would be wiping itself out alongside your legitimate data.

Boot sector viruses went the way of the dinosaur as floppy disks became less popular (they are almost never seen today), but for a while in the late 1980s and early 1990s they were the most commonly encountered type of malware.

A virus which could wipe your data, in an era when few computers were networked and backups were more of an inconvenient hassle than they are today, was notable.

But what was really to catch the attention of the media, as news of the virus spread over the coming months and the next March 6th loomed, was the name Riordan gave the virus – “Michelangelo”.

A virus by any other name..

Riordan chose the name Michelangelo, after discussing the virus with a friend. It so happened that his friend’s birthday was March 6th, who commented that he shared a birthday with the great renaissance artist born in 1475. There is no suggestion that whoever wrote the virus chose the date of its data-wiping payload for that reason or intended for the virus to be named after Michelangelo.

It could just have easily been called “Cyrano” after Cyrano de Bergerac, or “Lizzie” after Elizabeth Barrett-Browning, both of whom share the March 6th birthday. Or even Lou Costello of Abbot & Costello fame.

But Michelangelo it was.

Michelangelo creation

Of course, the media loves a good name for a virus. It helps give colour to what could be a dry, dull, technical story. It also means they might be able to get away from simply using photographs of beige computers and add more exciting images instead.

“Michelangelo”, “Stuxnet”, “Code Red”, “Kama Sutra”, “Chernobyl”, “The Love Bug”, “Anna Kournikova”.

In some cases these names were given by the researchers who discovered the malware, in others the public and the media came up with their own name because they were so unsatisfied with the one dreamt up by the anti-virus community.

(For instance, Sophos called the “Anna Kournikova” virus VBS/SST-A. Hardly something to set headlines on fire..)

The history of computer malware might therefore be quite different, if we had chosen to give less romantic/dramatic/memorable names to malware.

The stage was now set for a virus scare of huge proportions.

The Michelangelo virus scare

In the weeks running up to March 6th 1992, the media went potty about the Michelangelo virus.

John McAfee claimed that not only was Michelangelo the third most common computer virus, but also his prediction of up to five million PCs being hit on Michelangelo Day was widely repeated.

And why shouldn’t McAfee’s thoughts be treated seriously – he was, as far as the media were concerned, the USA’s leading expert on computer viruses.

“Thousands of PC’s could crash Friday” screamed USA Today. “Deadly Virus Set to Wreak Havoc Tomorrow” was a headline in The Washington Post. Meanwhile the Los Angeles Times declared “Paint It Scary!”

CNN even sent a film crew to McAfee’s offices, hoping to catch the disaster on camera.

NewsroundI had my own run-in with the media the day before March 6th. “Newsround”, a popular British news programme aimed at children, visited the offices of S&S International – the developers of Dr Solomon’s Anti-Virus Toolkit – where I was beavering away coding the first Windows version of their security software.

I remember clearly being asked to do some “stunt typing” on a keyboard, so that it could be used in the news report they were going to broadcast later.

I also remember my then boss, Alan Solomon, pooh-poohing the widely reported notion that millions of computers would be struck by Michelangelo. Dr Solomon’s opinion was that although the threat was in the wild, it had been massively over-hyped.

For one thing, few of the media reports mentioned that there was a bug in the virus which meant that it would not trigger on many PC XT-class computers

Remember, this was 1992. Many people still hadn’t encountered computer viruses, and there were still plenty of people who considered malware (as it wasn’t then termed) to be an urban myth and not running anti-virus software on their PCs.

With the established press warning of the imminent virus disaster, it’s no surprise to hear that some vendors sold an awful lot of anti-virus software.

You didn’t have to pay, of course. There were free solutions also available. Vesselin Bontchev of the University of Hamburg Virus Test Center reported that he received 28 mailbags containing requests for the VTC’s free Michelangelo detection and clean-up tool, after it was announced on German TV by the university’s Professor Klaus Brunnstein.

And if you were subscribed to the VIRUS-L computer virus mailing list at the time, then you would have seen constant chatter about the Michelangelo virus, tales of sightings, and disclosures of how different firms had accidentally shipped it onto floppy disks to their customers.

For instance, it was revealed that Intel had managed to ship over 800 floppy disks containing its LANSpool software, but also carrying the Michelangelo virus. The firm, which produced its own anti-virus product, was left with egg on its face when it admitted that it hadn’t actually been using it at its duplication site.

One of my favourite postings was about the response from McAfee’s arch-rival Symantec, who produced a free version of Norton Anti-Virus purely for the detection and eradication of Michelangelo.

Of course, because Michelangelo only exists in the boot areas of drives, it is really very quick to determine if an infection is present or not. *But* would a user feel comfortable if a scan was done in a second or two? Probably not.. so Norton’s free Michelangelo killer spent an age pointlessly scanning all of your .EXE and .COM files too..

Virus-L mailing list

March 5th, 1992

From the Washington Post:

Deadly Virus Set to Wreak Havoc Tomorrow
By John Burgess and Sandra Sugawara, Washington Post Staff Writers.

Panicky computer users all over the Washington area scrambling to protect their machines before a highly destructive computer "virus" known as Michelangelo strikes tomorrow.

Local software stores reported yesterday that they were selling out of special programs that detect and remove the virus. Callers were swamping hot lines..

March 6th, 1992

The world held its breath.. and nervously booted-up its computers..

March 7th, 1992

..and it turned out there wasn’t that much to worry about.

From the Washington Post:

By John Burgess and Sandra Sugawara, Washington Post Staff Writers

The 517th birthday of Michelangelo came and went yesterday and the computer world survived... But yesterday it struck only a smattering of homes and businesses in the Unites States and foreign countries.

Computer specialists credited the relatively light damage to heavy-duty publicity about its ability to wipe out all the data stored on a computer.

Many analysts suggested that the publicity had instilled a healthy fear in millions of computer users who had paid no attention to viruses.

At the anti-virus company I was working at we received probably a few dozen reports of computers that had been hit by Michelangelo’s payload.

And even then, it wasn’t certain that Michelangelo was to blame. After all, anyone who had a computer problem on March 6th 1992, was probably going to blame it on the virus – considering all of the press hype and exposure there had been in the weeks running up to M-Day.

The aftermath

It’s true to say that a lot of computers probably had anti-virus software installed on them because of the Michelangelo scare, and it is believed that the scare did some good because of the number of computers which probably had other malware found on them as a result of the panic.

But it *was* panic. And that’s rarely a good thing.

Although some tried to argue that the only reason there hadn’t been a much larger number of computers hit by Michelangelo’s payload was because of the hysterical reporting of the threat, the truth is that the anti-virus industry was damaged. The newspapers turned on the very people who had told them about the risk, and accused them of exploiting fear in order to sell anti-virus software.

The accusation that anti-virus companies deliberately hype up the risk of malware in order to sell more software was one that was not going to go away. Both customers and the media were likely to be more cynical next time a vendor claimed the end of the world as we know it.

And what of the guy who appeared to claim that up to five million PCs might be hit by Michelangelo?

Well, the virus scare certainly did no harm to John McAfee, whose anti-virus company went public in October 1992, raising $42 million in an initial public stock offering. Not bad for a business which at the time just had a couple of dozen employees, and no doubt assisted by the huge public exposure it had received just six months earlier.

And what of the author of Michelangelo? The person who wrote the virus that scared the world? Well, we still don’t know who he or she is. Unlike much malware written today, their virus was written without financial incentive – it was mindless in the damage it caused and appears to have been created purely for the author’s amusement.

One wonders what fun can be really had from a virus which marks such a key milestone in malware history as Michelangelo, if you can’t ever tell anyone that it was you who created it.