Michelangelo is a virus from 1991 famous for being one of the greatest sources of hysteria in the history of viruses (and probably the greatest in the era before a majority of homes and businesses were connected to the Internet). In spite of having a malicious payload, it did little damage except cause some embarrassment to journalists who avoided the subject of computer viruses for a while after the payload was supposed to activate.

Behavior

Michelangelo is mostly similar to the original Stoned Virus. In addition to infecting the sectors of the original Stoned virus, Michelangelo infects sector 28 on 1.2 megabyte floppy disks. Upon infection, the Michelangelo virus becomes memory resident at the top of system memory but below the 640K DOS boundary. Interrupt 12's return is moved to insure that Michelangelo is not overwritten in memory.

It has a destructive payload that overwrites all data on the hard disk with random characters, making recovery of any data unlikely, if not impossible. It will only do this if the computer is booted on March 6 (the birthday of the artist Michelangelo, ironically, one of the vendors that sold software infected with the virus was DaVinci systems). In addition, the virus does not check if the MBR has been previously infected, therefore if a similar virus has already infected the MBR, it will move the previous virus to the location the original MBR was stored on, making recovery of the MBR impossible.

Some Michelangelo subvariants may display:

   "March6.Tocoto.a": MBF virus * MENEM TOCOTO* B.B.
   "March6.Tocoto.b": MENEM TOCOTO virus 2"00

Variants

There are a few known variants of the Michelangelo virus. Only those that existed around the time of the original received much attention. Michelangelo itself is considered a member of the Stoned family.

Effects

The Michelangelo virus had a destructive payload, however it ended up destroying very little. Like its parent, Stoned, it was commonly found accidentally installed on vendor software disks. The first was a PC Paintbrush update disk from Z-Soft released in October of 1991. In the month that the virus's payload was supposed to activate, Intel shipped a Netspool disk (software for network printers on Novell Netware) infected with Michelangelo. Leading Edge shipped 6,000 PCs with the virus in January of 1992. In all, around 20 companies shipped disks or even computers with the virus.

"Michelangelo Madness"

Michelangelo was one of the first computer viruses to receive a great deal of media attention, with only Datacrime from 1989 causing a comparable amount of hype. This virus was more a study in mass hysteria than virus damage. It caused a great deal of panic, but very little actual damage. Michelangelo in the end only infected a few thousand computers. Though the antivirus industry was often guilty of inflating numbers

The hype started in 1992 January, when a computer manufacturer accidentally shipped 500 computers infected with the virus and on the same day, another announced that it would ship computers with anti-virus software pre-installed. The coincidence raised the interest of the press. United Press International interviewed the "International Partnership Against Computer Terrorism", along with antivirus company president John McAfee and filed a news wire saying that hundreds of thousands of computers may be destroyed by the virus. Data recovery consultant Martin Tibor drew the interest of the press by offering such quotes as "I'm finding virus catastrophes everywhere" and "I see the victims of viruses all the time."

McAfee would later say he made estimates between 50,000 to 5 million and that reporters could "take [their] pick" which they wanted to report (and many opted for 5 million). He said he made the estimate based on a report that 15% of computers across 600 sites had been infected. Though many puff pieces were written about McAfee, he claimed to have lost money. McAfee antivirus distributed a free shareware version with limited functionality and partial support and over the course of the hysteria surrounding the virus, took many support calls. He even called it the worst thing for his business in the short term. After the trigger date, McAfee revised his estimation of computers destroyed by 10,000, a number derived from the number of calls his company received about the virus and assuming it represented 5% of all cases.

In the weeks preceding the payload trigger date, newspapers began to run "local impact" stories. Although some news agencies reported on the hysteria rather than the virus, few did anything to stop it (such as talk to real experts). Significant numbers of computer users bought anti-virus software. Predictions of the number of destroyed computers went into the millions. Some reporters logged onto CompuServe, GEnie, Prodigy, and America Online and posted messages to general message boards asking anyone if they wanted to be interviewed about the virus.

IBM research shows that around March 6, there was a dramatic rise in the number of reports of many different viruses, not just Michelangelo. The Stoned virus and its other variants were much more prevalent than Michelangelo. After the virus failed to destroy millions of computers, reporters asked the more accurate experts why the actual damage was so low and the predictions so high. Both reporters and antivirus vendors claimed the attention drawn to Michelangelo caused people to get their computers scanned, resulting in a much lower impact on the 6th of March. The reporters learned that they had spoken to anti-virus software salesmen rather than virus experts. Few reporters would touch the subject much afterwards, though Newsweek in a post-mortem on the subject (showing the journos' utter cluelessness on the subject) said to "beware of the next round of viruses" such as Maltese Amoeba and the "Mutation Engine" (of course not a virus). For the next 13 days, no newswire touched the subject of computer viruses.

Sources

McAfee Antivirus, Michelangelo

Computer Incident Advisory Capability, Michelangelo Virus on MS DOS Computers. 1992.02.06

Edinburgh University PC Virus Review 1993

IBM Research. Michelangelo Madness

Vmyths.com Computer Viruses and "False Authority Syndrome": The worldwide Michelangelo virus scare of 1992.

Smart Computing, Self-Replicating Code Viruses: Put Them Under The Microscope. 2003.02

Attrition.org, Errata, Certified Pre-owned

CIAC, Viral Infections in Commercial/Government Media/Software. 1996.09

Crypt Newsletter, Number 12, MICHELANGELO HYPE REVISITED: A SKEPTIC'S VIEW