Michelangelo is a virus from 1991 famous for being one of the greatest sources of hysteria in the history of viruses (and probably the greatest in the era before a majority of homes and businesses were connected to the Internet). In spite of having a malicious payload, the actual damage from the virus was negligible compared to the hype in the lead up to the payload's release. Though it did cause significant damage to some individual sites, its biggest impact was to cause a great deal of embarrassment to journalists who avoided the subject of computer viruses for a while after the payload was supposed to activate.

Behavior

Michelangelo is mostly similar to the original Stoned Virus. In addition to infecting the sectors of the original Stoned virus, Michelangelo infects sector 28 on 1.2 megabyte floppy disks. Upon infection, the Michelangelo virus becomes memory resident at the top of system memory but below the 640K DOS boundary. Interrupt 12's return is moved to insure that Michelangelo is not overwritten in memory.

It has a destructive payload that overwrites all data on the hard disk with random characters, making recovery of any data unlikely, if not impossible. It will only do this if the computer is booted on March 6 (the birthday of the artist Michelangelo, ironically, one of the vendors that sold software infected with the virus was DaVinci systems). In addition, the virus does not check if the MBR has been previously infected, therefore if a similar virus has already infected the MBR, it will move the previous virus to the location the original MBR was stored on, making recovery of the MBR impossible.

Some Michelangelo subvariants may display:

   "March6.Tocoto.a": MBF virus * MENEM TOCOTO* B.B.
   "March6.Tocoto.b": MENEM TOCOTO virus 2"00

Variants

There are a few known variants of the Michelangelo virus. Only those that existed around the time of the original received much attention. Michelangelo itself is considered a member of the Stoned family.

Effects

The Michelangelo virus had a destructive payload, however it ended up destroying very little. Like its parent, Stoned, it was commonly found accidentally installed on vendor software disks. The first was a PC Paintbrush update disk from Z-Soft released in October of 1991. In the month that the virus's payload was supposed to activate, Intel shipped a Netspool disk (software for network printers on Novell Netware) infected with Michelangelo. Leading Edge shipped 6,000 PCs with the virus in January of 1992. In all, around 20 companies shipped disks or even computers with the virus.

Up to the date of the payload, about 1,300 computers in Germany were allegedly infected, though the number may have been as much as ten times that. Other reports say the same country had around 1,500 computers that lost data. Even the higher estimates by some researchers fell far short of the hype the virus would receive. Scotland Yard reported 167 systems were infected across 30 sites. In the US, a large oil company based in Houston along with 200 small to medium sized businesses were affected. In Japan, the Ministry of International Trade and Industry along with seven companies reported infections and possible damage.

South Africa experienced more than 1,300 cases, worst affected was a network of pharmacists where 750 computers were found to have the virus. Offices in Cape Town, Johannesburg, and the Natal province were affected. How much data was lost is unclear. AT&T reported 6 possible infections by the time the payload was released out of around a quarter million total computers. Three of those later turned out to be false. Two AT&T computers had some kind of infection around that time in New Jersey that were not proven to actually be Michelangelo.

Michelangelo was accidentally shipped multiple times, and probably holds the record for most times being accidentally shipped. It could be second to or tied with Stoned given the similarities between the two and because Michelangelo is often considered a variant of Stoned, so reports of either virus being released could actually be the other one. That said, reports of an accidental release on commercial software or hardware total around 16 times. This includes:

Data Loss Reports

In Japan, a civil engineering firm lost around $30,000 worth of architectural drawings and other data on 3 computers. A bowling center in a town called Swanton (whether the Swanton in Ohio, Vermont, Maryland, or Nebraska seems to have been lost) lost bowling league data. The New Salem Baptist Church in Kennesaw, Georgia lost some data, but had kept backups. Two computers at Transglobal Distribution, a magazine distributor in Edison, New Jersey lost data, but nothing valuable according to a systems analyst employed there. The daily newspaper Bariloche or Viedma in southern Argentina lost all of its computer records on the day after the payload was to be released because their system clocks were incorrectly set. There were reports that Uruguay's Army Intelligence suffered data loss, something they denied. Scotland Yard reported two companies in Britain had reported data loss, including one in Newcastle, though they declined to name the companies.

"Michelangelo Madness"

Michelangelo was one of the first computer viruses to receive a great deal of media attention, with only Datacrime from 1989 causing a comparable amount of hype. This virus was more a study in mass hysteria than virus damage. It caused a great deal of panic, but very little actual damage. Michelangelo in the end only infected a few thousand computers. Though the antivirus industry was often guilty of inflating numbers

The hype started in 1992 January, when a computer manufacturer accidentally shipped 500 computers infected with the virus and on the same day, another announced that it would ship computers with anti-virus software pre-installed. The coincidence raised the interest of the press. United Press International interviewed the "International Partnership Against Computer Terrorism", along with antivirus company president John McAfee and filed a news wire saying that hundreds of thousands of computers may be destroyed by the virus. Data recovery consultant Martin Tibor drew the interest of the press by offering such quotes as "I'm finding virus catastrophes everywhere" and "I see the victims of viruses all the time."

McAfee would later say he made estimates between 50,000 to 5 million and that reporters could "take [their] pick" which they wanted to report (and many opted for 5 million). He said he made the estimate based on a report that 15% of computers across 600 sites had been infected. Though many puff pieces were written about McAfee, he claimed to have lost money. McAfee antivirus distributed a free shareware version with limited functionality and partial support and over the course of the hysteria surrounding the virus, took many support calls. He even called it the worst thing for his business in the short term. After the trigger date, McAfee revised his estimation of computers destroyed by 10,000, a number derived from the number of calls his company received about the virus and assuming it represented 5% of all cases.

In the weeks preceding the payload trigger date, newspapers began to run "local impact" stories. Although some news agencies reported on the hysteria rather than the virus, few did anything to stop it (such as talk to real experts). Significant numbers of computer users bought anti-virus software. Predictions of the number of destroyed computers went into the millions. Some reporters logged onto CompuServe, GEnie, Prodigy, and America Online and posted messages to general message boards asking anyone if they wanted to be interviewed about the virus.

IBM research shows that around March 6, there was a dramatic rise in the number of reports of many different viruses, not just Michelangelo. The Stoned virus and its other variants were much more prevalent than Michelangelo. After the virus failed to destroy millions of computers, reporters asked the more accurate experts why the actual damage was so low and the predictions so high. Both reporters and antivirus vendors claimed the attention drawn to Michelangelo caused people to get their computers scanned, resulting in a much lower impact on the 6th of March. The reporters learned that they had spoken to anti-virus software salesmen rather than virus experts. Few reporters would touch the subject much afterwards, though Newsweek in a post-mortem on the subject (showing the journos' utter cluelessness on the subject) said to "beware of the next round of viruses" such as Maltese Amoeba and the "Mutation Engine" (of course not a virus). For the next 13 days, no newswire touched the subject of computer viruses.

Origin

The exact origin of the virus was never found. Taiwan was a suspected origin of the virus but this was never definitively proven. In Europe, the source seemed to be primarily hardware and driver disks imported from East Asia. The words "TOCOTO MENEM" found in the virus body may point to Argentina. At the time of the release, Carlos Menem was the president of Argentina. Michelangelo was discovered on the 4th February 1991 in the shop of Roger Riordan in Melbourne, Australia. He noticed something was wrong after installing a program and seeing a number of unusual symbols on his monitor.

Sources

McAfee Antivirus, Michelangelo

Computer Incident Advisory Capability, Michelangelo Virus on MS DOS Computers. 1992.02.06

Edinburgh University PC Virus Review 1993

IBM Research. Michelangelo Madness

Vmyths.com Computer Viruses and "False Authority Syndrome": The worldwide Michelangelo virus scare of 1992.

Smart Computing, Self-Replicating Code Viruses: Put Them Under The Microscope. 2003.02

Attrition.org, Errata, Certified Pre-owned

CIAC, Viral Infections in Commercial/Government Media/Software. 1996.09

Crypt Newsletter, Number 12, MICHELANGELO HYPE REVISITED: A SKEPTIC'S VIEW

Deutsche Welle, Today in History.

John Markoff. The New York Times, Feared Computer Plague Passes With Very Few Infections. 07-MAR-1993

CIO, IT History: 1992, Michelangelo Virus: Big Threat, Little Damage. 01-MAR-2004

Jeremy Webb, Barry Fox. New Scientist, Michelangelo disappoints the virus hunters. 14-MAR-1992