Michelangelo Madness - a chapter in an IBM research report
Michelangelo Madness - a chapter in an IBM research report
Michelangelo Madness
The Michelangelo virus was first found in early 1991 in New Zealand. It is a typical infector of diskette boot records and the master boot record of hard disks, with one exception. If an infected system is booted on March 6 of any year, the Michelangelo virus will overwrite parts of the hard disk with random data. This renders the hard disk of the system, and all of its information, inaccessible.
The virus is named Michelangelo not because of any messages in the virus itself, but because one of the first people to analyze it noticed that March 6 is the birthday of the famous artist. The name stuck.
Finding a new virus is not unusual in itself; several dozen new viruses are found each week. Michelangelo was unusual in that it was found in an actual incident, rather than as one of the thousands of viruses gathered by anti-virus workers but as yet unseen in an incident. It was also unusual because it could cause such substantial damage to the information on peoples' PCs, and because that damage would all happen on a single day.
In the weeks that preceded March 6, 1992, something even more unusual happened. In a fascinating interplay between the media and some parts of the anti-virus industry, the Michelangelo virus became a major news event. News stories warning about Michelangelo's destructive potential were broadcast on major television networks. Articles about it appeared prominently in major newspapers.
As March 6 drew nearer, the stories grew ever more hysterical. The predictions of the number of systems that would be wiped out grew to hundreds of thousands, then millions [12, 13].
When the fateful date came, the predictions of doom turned out to have been a bit inflated. The Michelangelo virus was found on some systems, and probably did destroy data on a few of them. But the worldwide disaster did not occur. Indeed, it was difficult to find any verified incident of destruction of data by Michelangelo in most places [14].
This should not have come as a surprise. Our own research at the time showed that the Michelangelo virus was not very prevalent, and certainly not one of the most common viruses. We estimated that about the same number of systems would have their hard disks crash due to random hardware failures on March 6 as would have their data destroyed by the Michelangelo virus. It is important to keep the risks in perspective.
Michelangelo Madness, as we came to call it, did have a dramatic effect, though not the anticipated one. Concerned about the predictions of widespread damage, people bought and installed anti-virus software in droves. In some locations, lines of people waiting to buy anti-virus software stretched around the block. In other places, stores sold out of their entire supply of anti-virus software during the week leading up to March 6. Around the world, a very large number of people checked their systems for viruses in those few days.
Figure 9 illustrates the effect of this activity. In the two weeks before March 6, 1992, reports of virus incidents shot up to unprecedented levels. Naturally, this was not because viruses were spreading out of control during those two weeks. Rather, infections that had been latent for days or weeks were found, simply because people were looking for them. In environments like that of our sample population, where anti-virus software is widely installed and used, it is likely that these same infections would have been caught anyway in subsequent weeks. But, since so many people checked their systems prior to March 6, the infections were discovered then rather than later.
Figure 9: Michelangelo Madness resulted in many people finding viruses of all kinds.
People did find the Michelangelo virus, but they found far more viruses of other kinds. The Stoned virus, for instance, the most prevalent virus at the time, was found about three times more frequently than was the Michelangelo virus.
In the first few months after Michelangelo Madness, fewer virus incidents were reported than in the few month before it. This is easy to understand. First, virus incidents were caught earlier than they might have been because everyone was looking. Viruses found in the beginning of March might have been found in the beginning in April instead. So one would expect fewer virus incidents to be reported shortly after March 6 that year. Second, viruses were probably found and eliminated even in systems that might not have found them for a very long time. In just a few days, the worldwide population of viruses was decreased. We would expect that the virus population, and hence virus incident reports, would increase again in subsequent months.
Virus incidents did increase after that, but in a way that is rather complicated. We will examine this in more detail in a subsequent section.
Despite the beneficial effects of eliminating some viruses temporarily, the hysteria caused by this event was clearly out of proportion to the risk. Individuals and businesses spent vast sums of money and time warding off a threat that was much smaller than they were led to believe. We hope that those involved learned from the experience -- that our friends in the anti-virus industry will be more careful in saying that they understand viral prevalence when they do not, and that the media will examine predictions of impending doom with a somewhat more critical eye.