A ‘terrorist’ virus

Michelangelo stirs fears of future shocks

March 16 1992

A ‘terrorist’ virus

Michelangelo stirs fears of future shocks

March 16 1992

A ‘terrorist’ virus


Michelangelo stirs fears of future shocks

Lawyer Howard Dyment had just arrived at his downtown Toronto office on Friday morning when he heard a startled shout from one of his legal secretaries. “It doesn’t work,” exclaimed Deborah Alward. “It doesn’t work.” Dyment said that Alward had turned on a computer terminal and the machine “went clunk, clunk, clunk, and that was it—nothing.” Dyment said that he knew immediately that the machine was infected by the so-called Michelangelo virus, a destructive piece of programming capable of erasing information stored on a floppy disk or on the hard disk inside an IBM or IBM-compatible personal computer.

The cunningly devised virus, which had spread all over the world through infected hardware and software, was designed to become active on one day only, March 6. And despite well-publicized warnings in recent weeks, it disrupted thousands of computers around the world on that date. Dyment said that he narrowly missed losing several years’ worth of valuable records, which were stored on another computer. Still, he added, “I was scared to death for a moment. I never thought it could happen to me.”

With up to 80 million personal computers worldwide vulnerable to viruses, the damage wreaked by Michelangelo was less widespread than some authorities had feared. Most computer owners and users, forewarned by the publicity attending Michelangelo’s approach, were able to take precautions to protect their equipment. Still, the scare drew attention to the proliferation of viruses, a rapidly growing,

global threat to personal computing. Experts have identified more than 1,200 viruses, which, like Michelangelo, affect units manufactured by International Business Machines Corp., the computer giant based in Armonk, N.Y., or by other makers adhering to IBM standards. Indeed, some virus experts predicted that others were timed to strike on Friday, March 13. But Michelangelo presented a greater threat than most of the others. The reason: while most viruses are nuisances, producing harmless, graffiti-like messages on computer screens (“Gotcha,” in one case), Michelangelo was designed to actually destroy a lot of the information stored on disks.

The Michelangelo alert began last April

when a German computer scientist detected it, analysed it and discovered its destructive potential. It got its name when researchers noted that the date on which it was timed to strike, March 6, was the birthday of the great Italian Renaissance artist, born 517 years ago. After that warning, software developers were work-

ing on what the computer insiders call a vaccine—a program designed to detect and kill a specific virus. Computer owners around the world were able to protect themselves either by changing the internal calendars on their computers to avoid March 6 or by scanning their machines and disks with programs designed to detect and kill Michelangelo and other viruses.

But with the potential for damage from existing and future viruses remaining enormous, many computer specialists last week denounced the programmers who create and unleash them on unsuspecting users. Said Eugene Spafford, a computer scientist and authority on viruses at Purdue University in West

Lafayette, Ind.: “Writing these programs is like dumping cholera in a water supply. I view it as terrorist activity.”

Shortly after the workday began in various parts of the world on March 6, reports emerged of computers bitten by Michelangelo. An architectural and civil engineering company in Japan reported losing data and graphics valued at $20,000 to $30,000. In New Zealand, four businessmen told a local computer expert that they lost everything stored on their computers. The editor of an Argentinian daily newspaper in Bariloche, high in the Andes mountains, said that the virus had destroyed 75 per cent of the material filed on its computers that day.

But the largest outbreak was in South Africa, where Michelangelo struck at about 500 small companies with a total of 1,000 computers. The owners were mainly pharmacists, who

had contaminated one another’s systems by sharing floppy disks. In the United States, Michelangelo struck about a dozen companies on Thursday, March 5, likely because their computers’ internal clocks were inaccurate. In Canada, the reported damage inflicted by the virus was limited to less than a dozen companies by the end of the workday on Friday.

Michelangelo’s destructive potential was largely blocked because many computer users began searching for the virus in the weeks leading up to March 6. Among them, municipal officials in Kitchener, Ont., declared Feb. 26 Virus Detection Day. A team of 40 city employees tested 350 municipally owned computers and hundreds of the floppy disks used to store

information in the machines. According to Eric Barton, manager of Kitchener’s technical services department, the team found and destroyed 80 occurrences of six different viruses, including one case of Michelangelo. Said Barton: “It was well worth the effort. Last week, everybody was running around scared. We knew we were clean.”

Private companies were just as vigilant in their search for the virus. Peter Mittler, president of Microset Systems Inc., a Scarborough, Ont., computer support company, said that he scanned his firm’s 10 personal computers and 300 floppy disks with an anti-virus program and found that eight disks, as well as the 10 machines, had been infected. Mittler also had backup copies of the threatened data, which included company accounting records and lists of clients. He promptly sent a Michelangelo advisory by fax to 800 current and prospective clients. Said Mittler: “We had 100 calls back from people asking us for help. It was no joke.” As public concern about the problem spread, some U.S. developers of anti-virus software made available special products designed to counter Michelangelo. Symantec Corp. of Cupertino, Calif., 80 km south of San Francisco, distributed 250,000 free copies of a virusdetection-and-destruction program called the Michelangelo Limited Edition.

With intense media coverage of the scare, previously little-known computer organizations began receiving thousands of telephone inquiries, in some cases from people who did

not even own computers. Robert Bales, executive director of the National Computer Security Association in Mechanicsburg, Pa., 190 km west of Philadelphia, said that the name of his organization, and its telephone number, were mentioned on ABC TV’s Good Morning America show on March 3. Bales said that, as a result, he fielded an estimated 900 calls the same day, 1,500 the next day and 1,300 the day after that. Said Bales: “One guy called and said, ‘I don’t have a computer but I’m worried about my bank’s computers.’ ”

Like most viruses, Michelangelo’s origins are partly shrouded in mystery. Bales and other experts said that the commonly accepted theory is that it is the work of a programmer in either Sweden or the Netherlands. Once released, it spread rapidly. A Dutch police expert on computer fraud, Loek Weerd, said last week that Michelangelo travelled much farther than most viruses because an unidentified Taiwanese software company unwittingly began distributing infected programs. But industry experts say that even in normal circumstances such viruses can travel as quickly as the common cold because of the uncontrolled use and sharing of floppy disks.

Bales said that when one person put an infected floppy disk into a computer, the machine’s hard drive, or internal storage and memory disk, would immediately copy the Michelangelo program. The virus would then jump from the hard drive to any uninfected floppy disk subsequently used in the machine. The newly infected disks would then spread the

virus if they were used in any uncontaminated machine. Sharing of disks is a widespread practice, the experts say, among people who are copying software programs illegally or among employees who are working on joint projects. In Mittler’s case in Scarborough, he said, “We picked it up from somebody bringing a machine in here that had the Michelangelo virus on it. Then we spread it around without knowing it.”

According to Spafford, most viruses are designed to become active at a specified date in the future so that they have time to spread. He said that Michelangelo was likely released by its creator shortly after March 6,1991, giving it almost a year to travel. Undetected contaminations on software or hard disks that were not activated on March 6 can still spread the virus, ready to strike again next March 6.

But despite its prevalence, Michelangelo is not the most common of the 1,200 or so computer viruses discovered to date. That distinction belongs to the so-called Stoned virus, according to a Top 10 list compiled by Symantec Corp. The Stoned virus is activated when a computer is switched on. Instead of the usual program information, a user sees a blank screen and one of several variations of the message, “Your PC now is stoned.” Another virus, Yankee Doodle, becomes active at 5 p.m. on certain days and causes a computer’s speaker system to play that tune. A third virus, the Ping Pong, becomes active at random moments, causing a small round white image to bounce around the screen.

By last fall, the menace had become so widespread that Bales’s National Computer Security Association launched a research project. The association hired a firm to conduct a continent-wide survey of 602 companies, owning a total of 618,000 personal computers.

Slightly more than 60 per cent of the companies reported finding viruses in their machines. In another survey, conducted in early 1991, only 15 per cent of participating companies had encountered viruses.

The spread and sophistication of viruses has,

in turn, led to the proliferation of anti-viral software programs. Bales said that 60 companies around the world now have detection and destruction products available. In a test of 19 of the top products late last year, Bales concluded that a program called Dr. Solomon’s Toolkit, developed by a British company, S&S International, was the best at finding viruses. The next best, he said, was the Virus Buster program developed in Australia by Leprechaun Software International Ltd.

But computer scientists and software experts have not yet determined one critical factor with any precision: the cost incurred by the epidemic. They do agree that viruses have become an expensive problem, even if they do not destroy programs or other stored information. Mario Discepola, vice-president of a Montreal software development company, ND Computer Resources Ltd., said that he spent two hours checking his firm’s 10 personal computers for Michelangelo—finding them clean— and that thousands of other organizations undoubtedly devoted time and manpower to the same job before March 6. “I wish the government would treat this type of mischief a lot more seriously,” said Discepola. “It’s a new type of crime that needs to be addressed. It’s costing us hundreds of millions of dollars.” Meanwhile, in the wake of Michelangelo’s worldwide attack, many computer owners checked their machines again for the potential threat of another attack on Friday the 13th.