Michelangelo
Michelangelo
Type Boot sector virus
Creator
Date Discovered 1991.04
Place of Origin
Source Language Assembly
Platform DOS
Infection Length
Reported Costs

Michelangelo is a virus from 1991 famous for being one of the greatest sources of hysteria in the history of viruses (and probably the greatest in the era before a majority of homes and businesses were connected to the Internet). In spite of having a malicious payload, it did little damage except cause some embarrassment to journalists who avoided the subject of computer viruses for a while after the payload was supposed to activate.

Behavior

Michelangelo is mostly similar to the original Stoned Virus. In addition to infecting the sectors of the original Stoned virus, Michelangelo infects sector 28 on 1.2 megabyte floppy disks. Upon infection, the Michelangelo virus becomes memory resident at the top of system memory but below the 640K DOS boundary. Interrupt 12's return is moved to insure that Michelangelo is not overwritten in memory.

It has a destructive payload that overwrites all data on the hard disk with random characters, making recovery of any data unlikely, if not impossible. It will only do this if the computer is booted on March 6 (the birthday of the artist Michelangelo, ironically, one of the vendors that sold software infected with the virus was DaVinci systems). In addition, the virus does not check if the MBR has been previously infected, therefore if a similar virus has already infected the MBR, it will move the previous virus to the location the original MBR was stored on, making recovery of the MBR impossible.

Some Michelangelo subvariants may display:

   "March6.Tocoto.a": MBF virus * MENEM TOCOTO* B.B.
   "March6.Tocoto.b": MENEM TOCOTO virus 2"00

It is uncertain where the Michelangelo virus originates. Most sources say New Zealand, but Sweden and the Netherlands are also a possibility. It was discovered in 1991 April.

Variants

There are a few known variants of the Michelangelo virus. Only those that existed around the time of the original received much attention. Michelangelo itself is considered a member of the Stoned family.

Effects

The Michelangelo virus had a destructive payload, however it ended up destroying very little. Like its parent, Stoned, it was commonly found accidentally installed on vendor software disks. The first was a PC Paintbrush update disk from Z-Soft released in October of 1991. In the month that the virus's payload was supposed to activate, Intel shipped a Netspool disk (software for network printers on Novell Netware) infected with Michelangelo. Leading Edge shipped 6,000 PCs with the virus in January of 1992. In all, around 20 companies shipped disks or even computers with the virus.

"Michelangelo Madness"

Michelangelo was one of the first computer viruses to receive a great deal of media attention, with only Datacrime from 1989 causing a comparable amount of hype. This virus was more a study in mass hysteria than virus damage. It caused a great deal of panic, but very little actual damage. Michelangelo only infected a few thousand computers making it an example of media hype.

The hype started in 1992 January, when a computer manufacturer accidentally shipped 500 computers infected with the virus and on the same day, another announced that it would ship computers with anti-virus software pre-installed. The coincidence raised the interest of the press. United Press International interviewed the "International Partnership Against Computer Terrorism", along with antivirus company president John McAffee and filed a news wire saying that hundreds of thousands of computers may be destroyed by the virus. Data recovery consultant Martin Tibor drew the interest of the press by offering such quotes as "I'm finding virus catastrophes everywhere" and "I see the victims of viruses all the time."

In the weeks preceding the payload trigger date, newspapers began to run "local impact" stories. Although some news agencies reported on the hysteria rather than the virus, few did anything to stop it (such as talk to real experts). Significant numbers of computer users bought anti-virus software. Predictions of the number of destroyed computers went into the millions. Some reporters logged onto CompuServe, GEnie, Prodigy, and America Online and posted messages to general message boards asking anyone if they wanted to be interviewed about the virus.

IBM research shows that around March 6, there was a dramatic rise in the number of reports of many different viruses, not just Michelangelo. The Stoned virus and its other variants were much more prevalent than Michelangelo. After the virus failed to destroy millions of computers, reporters asked the more accurate experts why the actual damage was so low and the predictions so high. The reporters learned that they had spoken to anti-virus software salesmen rather than virus experts. For the next 13 days, no newswire touched the subject of computer viruses.

Sources

McAfee Antivirus, Michelangelo

Computer Incident Advisory Capability, Michelangelo Virus on MS DOS Computers. 1992.02.06

Edinburgh University PC Virus Review 1993

IBM Research. Michelangelo Madness

Vmyths.com Computer Viruses and "False Authority Syndrome": The worldwide Michelangelo virus scare of 1992.

Smart Computing, Self-Replicating Code Viruses: Put Them Under The Microscope. 2003.02

Attrition.org, Errata, Certified Pre-owned

CIAC, Viral Infections in Commercial/Government Media/Software. 1996.09

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License