Michelangelo (computer virus)
|Boot sector virus
|Boot sector, master boot sector
|x84 (payload only with AT and PS / 2 )
The Michelangelo virus is a boot sector virus for DOS systems on AT or PS / 2 computers. It was the first computer virus to gain media and news attention. In retrospect, the term "Michelangelo hysteria" established itself.
The virus was not a new development. Michelangelo was based on the Stoned boot sector virus , which has been known since 1987 and is also known under the name Marijuana or New Zealand Virus . The virus code was modified accordingly so that antivirus programs could no longer recognize it.
According to some other sources, Michelangelo was first discovered in New Zealand in April 1991 . The Heise publishing house was in the magazine c't of the virus had been found in February 1991 when a retrospective of Michelangelo hysteria was published in July 2017th The originator of the malware is unknown.
The source code of Michelangelo does not contain a signature, version number, data or name. The discoverer of the virus, the Australian engineer and programmer Roger Riordan , noted that the payload will be triggered on March 6th. He wanted to name the malware after a friend whose birthday falls on this date. He suggested using the name of a well-known person instead. The date of birth of the Renaissance artist Michelangelo then turned out to be appropriate. Since there is no fixed nomenclature for computer viruses, several common names are in use. Antivirus software manufacturers also use different names for malware . Due to the media presence that the virus gained in 1992, it is mainly known under the name "Michelangelo". Other names are Stoned.March6.a and Stoned.Michelangelo .
The virus is intended to infect DOS systems, but it does not attack the operating system or execute internal commands. Michelangelo acts for the most part, as is typical for boot sector viruses, at the BIOS level. Michelangelo is a variant of the stoned virus . Large parts of the code were rewritten, it is not a simple modification. The virus does not use stealth or polymorphic techniques to camouflage itself from the user or from anti-virus scanners.
If a suitable computer is booted from an infected data carrier, Michelangelo reserves two kilobytes of system memory at the address 40h: 13h. Then the virus code is copied into this area. If it is present on a hard drive , the virus reads the master boot sector and checks whether it is already infected. Just like the Stoned Virus, Michelangelo compares the first 4 bytes of the master boot sector with the first bytes of his own code. If they do not match, the virus tries to infect. Michelangelo saves the original master boot sector in track 0, head 0, sector 7. The last 66 bytes of the master boot sector, i.e. the partition table, are copied to the end of the virus code and then in track 0, head 0, Sector 1 written. After infecting the hard drive, the virus transfers control to the original master boot sector.
- On hard drives, the virus moves the original master boot record to cylinder 0, head 0, sector 7.
- On floppy disks , if their capacity is 360 kB, the original boot sector is moved to cylinder 0, head 1, sector 3.
On other floppy disks, the virus moves the original boot sector to cylinder 0, head 1, sector 14.
- This is the last directory on a 1.2 MB floppy disk.
- This is the penultimate directory on a 1.44 MB floppy disk.
- This directory does not exist on 720 kB floppy disks.
Although the virus should infect DOS systems, it can easily damage other operating systems because, like many other viruses, it infects the master boot record of a hard drive. After a system is infected, any floppy disk that the system accesses is immediately infected. On IBM-PC compatible computers there is basically no direct way to check whether a floppy disk is currently inserted in the drive. Write and read processes are also carried out when the drive is empty, but then return an error message. An unnoticed infection was only possible after the user had actively accessed the drive. Since the virus showed no effects most of the time, it was entirely possible that an infection could go undetected for years. It was foreseeable that Michelangelo would become extinct in the years to come due to his way of infecting floppy disks. The virus could not spread effectively using 3.5 "floppy disks, and the 5.25" format was already out of date. The virus's replication code is designed for floppy disks with 15 sectors per track as well as hard disks. 3.5 "floppy disks with 720 KByte were thus completely immune to Michelangelo. The HD version with 1.44 MByte will be infected and could cause further infections during the boot process. Such floppy disks, however, are no longer readable after infection and must (virus-free ). The following error message appears:.
Allgemeiner Fehler beim Lesen von Laufwerk xA defective floppy disk is largely useless in practice for the spread of boot sector viruses. Such a virus depends on non-write-protected boot floppy disks for effective propagation. Computers with the DR-DOS operating system or NOVELL7 can, however, read and process these disks without any problems.
The virus contains a logic bomb that will be detonated on March 6th , the birthday of Michelangelo Buonarroti. There is no reference to the artist within the Virusode, and it is generally doubtful that the author wanted to establish a connection between the Virus and Michelangelo. A more likely scenario is that the virus was an attack against the then better known Jerusalem Virus, which activated a similar payload every Friday the 13th. Since this attack was exactly one week before Friday, March 13, 1992, computer users who believed they could protect themselves from the Jerusalem virus by changing the system date on March 12 would have been affected. According to another speculative assumption, the virus was finalized by the developer shortly after March 6th. Only activating the trigger in a year gave Michelangelo the necessary time to spread. In general, viruses that activate their payload on a certain day of the year are known as "birthday viruses". Another well-known representative is the first version of the CIH virus . Michelangelo checks the system date each time an infected system is started. If no boot process is performed on March 6th, the payload will not be triggered. Continuous operation, which was common with network servers in 1992, enabled a system to avoid the damage. If the booting PC is an AT or a PS / 2 , the virus will overwrite the first 100 sectors of the hard disk with zeros on this date. The virus assumes a geometry of 256 cylinders, 4 heads and 17 sectors per track. Although all user data is still on the hard drive, it was nowhere to be found by the average user and thus lost.
The effects on data carriers were in detail:
- With floppy disks, the malicious code first overwrites all information on track 0, then on track 1, etc.
- Sectors 1–9 and heads 0 and 1 are destroyed on a 360K floppy disk.
- On other types of disks, the first 14 sectors of each track are destroyed.
- On a hard drive, the virus destroys the first 17 sectors on each track, heads 0, 1, 2 and 3.
Michelangelo uses the content of storage location 5000h: 0000h to overwrite . Since the payload is triggered before the actual system start, it is probably a block of zero bytes. If there are several system disks, Michelangelo overwrites them one after the other. Switching off the computer immediately saved the data on the second disk. A data recovery with conventional means was futile.
Situation in 1992
The discoverer of Michelangelo, Roger Riordan, wrote a tailor-made anti-virus program shortly after the virus was found and distributed it as shareware via his parallel software company Cybec . When the British Virus Bulletin listed Michelangelo for the first time in its malware hit list in October 1991, IT experts assumed the risk was rather moderate. Compared to known viruses, the pest had nothing new to offer. Michelangelo gained widespread international attention in January 1992 when it was discovered that some computer and software manufacturers had accidentally shipped the virus with their products; B. the LANSpool print server from Intel . Although only 839 affected floppy disks were sent by the print server software, the mass media mostly reported much higher numbers. A worse source of infection was probably a contaminated master disk in a Taiwanese copier. The driver disk for the popular Artec mouse was therefore able to catch the Michelangelo virus. The mouse has been sold 20,000 times, but the percentage of floppy disks infected is unclear. Drivers for graphics cards were also infected with the virus in this copy plant. Soon the press and news magazines were claiming that 5 to 15 million computers could be infected with Michelangelo. In Germany, Reuters jumped on the bandwagon and also reported millions of computers infected. The youth magazine Bravo ran an article with the lurid title: "Computer owners in fear! Will all computers break on March 6th?". The BSI set up a special hotline . In the period from February 17, 1992 to March 1, 1992, around 1000 calls were received regarding general and specific questions about computer viruses and anti-virus programs. An official warning was issued. In February 1992, the CERT issued instructions for handling the Michelangelo.
Several experts, including some representatives of the Chaos Computer Club , spoke of baseless scare tactics.
Professor Klaus Brunnstein , who at the time was head of a virus test center at the University of Hamburg , was of the opinion that Michelangelo was a serious threat. The virus is very harmful and probably widespread.
On March 6, 1992, the morning news in Germany reported the first cases in Uruguay. The system time of some military computers was set incorrectly, so Michelangelo's payload was triggered prematurely. In the course of the next few days it became clear that there had been only 10,000 to 20,000 cases of data loss worldwide. In Germany 150 affected computers were reported, the first case concerned the company computer of a printing company in Aachen. That was way below public expectations.
The UK magazine Virus Bulletin ranks the overall impact of Michelangelo as "moderate" in retrospect. In the UK, 117 PCs were reported to be affected. In the United States, where the hysteria was greatest, the Dr. Salomon estimated about 7000 claims. McAfee reported close to 10,000. In South Africa around 1000 computers were caught in pharmacies because they obtained a price list in electronic form. The wholesaler accidentally sent infected floppy disks.
According to the BSI, the damage balance in Germany in the following years was around 50 reported cases in 1993 and around 20 cases in 1994. March 6th fell on a weekend in these years, which is why comparatively few company PCs were affected. The reasons for the unexpectedly small extent are:
- The spread of Michelangelo and his infection numbers were far lower than expected. The dubious reporting had given the wrong picture of the situation.
- Compared to other viruses from 1992, the known cases plus the number of unreported cases are not necessarily small. Realistic comparisons are hardly possible here, since other viruses with a similar payload and similar trigger never received the same public attention as Michelangelo.
- Many of those affected had already scanned and cleaned their PC.
- A presumably not small number of users did not switch on the computer on the cut-off date for safety's sake.
- Other computer owners changed the system date in time to skip the critical day.
- Many server systems are operated continuously whenever possible. The payload was only triggered on March 6th during the boot process.
The news lost interest and the virus was quickly forgotten. Despite the scenario described above that a system remains infected unnoticed for years, hardly any such cases were known until 1997. In 1998 only two cases were reported to the Symantec company , and then everything was quiet about Michelangelo. In the meantime, vulnerable systems are hardly ever operated
The role of John McAfee
The American John McAfee is often cited as the main cause of the media panic surrounding the Michelangelo virus . In 1991 he was one of the few manufacturers of antivirus software left. The utopian number of 15 million infected computers originally goes back to him. To this day, he is generally criticized for the fact that he only wanted to increase the turnover of his company with this advertising trick.
McAfee later made it clear in another interview that he was pressured by journalists to give a number. But since he could not and did not want to commit himself, he deliberately gave a vague answer. He said it could be "5,000 or 15 million infected machines". As a result, he was quoted incorrectly because the media apparently liked the 15 million better. It was not his intention to cause a panic or to organize an advertising fraud. McAfee's antivirus program sales soared in early 1992, selling seven million programs that fiscal year. In the course of the Michelangelo hysteria, this boom also affected all other virus scanner manufacturers.
- https://www.heise.de/ct/ausgabe/2017-6-25-Jahre-Michelangelo-Virus-ein-Rummel-mit-Folgen-3638531.html Heise-Verlag , C't magazine: 25 years of the Michelangelo virus by Detlef Borchers , March 3, 2017
- PDF download - Virus Bulletin October 1991 edition
- pspl.com ( Memento from September 22, 2008 in the Internet Archive ) Pspl.com: Virus-Info
- http://www.today-in-history.de/index.php?what=thmanu&manu_id=1388&lang=en Today-in-history.de: Michelangelo 1992
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-michelangelo-virus-25-years-later TrendMicro.com: The Michelangelo virus - 25 years later
- https://nakedsecurity.sophos.com/2012/03/05/michelangelo-virus/ NakedSecurity.Sophos.com: Memories of the Michelangelo virus
- https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Michelangelo.aspx Sophos.com: Virus database, Michelangelo (overview)
- https://www.hgb-leipzig.de/~hilko/boot_sector/ HGB-Leipzig.de: The worldwide Michelangelo virus scare of 1992 - ( Der Fall Michelangelo )
- https://www.virusbulletin.com/virusbulletin/2017/03/throwback-thursday-michelangelo-graffiti-not-art/ VirusBulletin.com - Analysis by Michelangelo, by Fridrik Skulason, January 1992
- https://malware.wikia.org/wiki/Michelangelo Malware.Wikia.com: Virus database, Michelangelo
- https://www.csie.ntu.edu.tw/~wcchen/asm98/asm/proj/b85506050/ORIGIN/MICHEL~1.HTM CSIE.ntu.edu.tw: Michelangelo - Graffiti Not Art
- https://www.internetx.com/news/michelangelo-25-jahre-nach-der-grossen-virushysterie/ InternetX.com: Michelangelo - 25 years after the great virus hysteria
- Truth About Computer Virus Myths & Hoaxes ( Memento from December 12, 2005 in the Internet Archive ) - vmyths.com
- https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=496264 Recommendations of the CERT regarding Michelangelo
- https://taz.de/Michelangelo-schlapper-Master-of-Disaster/!1679068/ taz.de: Michelangelo - Schlapper Master of Disaster
- https://www.spiegel.de/spiegel/print/d-9274748.html Spiegel.de: scaremongering with Michelangelo from March 2, 1992
- https://ajrarchive.org/Article.asp?id=1673 AjrArchive.org: Michelangelo
- https://www.computerwoche.de/a/john-mcafee-wird-70,3216026 Computerwoche.de: John McAfee turns 70
- https://www.wz.de/digital/john-mcafee-software-pionier-und-schlitzohr_aid-30187615 WZ.de: John McAfee, software pioneer and Schlitzohr
- https://www.infosecurity-magazine.com/blogs/mcafee-michelangelo/ InfoSecurity-Magazine.com: McAfee and Michelangelo
- VirusBulletin.com: Virus Bulletin (incl. Michelangelo analysis by Fridrik Skulason ) , January 1992 edition - PDF download
- Cert.org: Official Notes on Michelangelo , February 1992
- DKIA.at: The source code of Michelangelo text file (engl.)
- Malware.Wikia.ord: Michelangelo database entry
- Sophos.com: Michelangelo database entry