Malware of the 90s: Remembering the Michelangelo and Melissa viruses

Our trip down the malware memory lane takes us all the way back to the 1990s

Our trip down the malware memory lane takes us all the way back to the 1990s

Every Monday in November we will be dipping into the history books and remembering some of the most infamous computer threats, starting with the 1980s and continuing through to the current day as we continue to mark Antimalware Day and also as part of the celebration of International Security Day, which is on November 30.

We started this series remembering the Brain computer virus and the Morris worm, and this time we will stop at two well-remembered threats of the 90s — the Michelangelo and Melissa viruses.

Michelangelo virus

Discovered in 1991, the Michelangelo virus was designed to infect DOS systems, more specifically the master boot record of the hard disk and the boot sector of floppy disks.

The peculiarity of this virus, written in Assembler, is that it had a time-bomb feature: it activated on March 6 of any year, a date that happened to coincide with the birth of Renaissance artist Michelangelo. This connection led researchers to decide on the name for the virus once it was discovered.

When Michelangelo believed it was the date to deliver its payload, it would completely overwrite any diskettes present; on the first hard drive, the virus would overwrite a relatively small — but critical — area with random characters, making information retrieval practically impossible. But it only worked if the computer was running when the virus thought the date was March 6; otherwise, the payload was not triggered.  Indeed, recommendations at the time were either to leave your computer turned off on that day, or to reset the system clock so that the computer thought it was not March 6.  Of course, far better was to remove the virus in the first place!

Michelangelo was a variant of the Stoned virus. And although it is not known what the origin of this virus was, some speculated that it may have been created in Australia or New Zealand, although there was also the theory that it could have been developed in Sweden, Denmark or Holland.

One US citizen in the antivirus industry estimated (without corroborating evidence) that by March 6, 1992, Michelangelo would have managed to infect more than five million computers around the world, which generated much excitement and coverage in the media of the day. An article published in the Los Angeles Times at the time claimed that the virus infected a small architectural and civil engineering company in Japan. That lost data represented an economic loss valued between US$20,000 and US$30,000 for that company alone.

Melissa virus

The Melissa virus was a macro virus that began to spread on March 26th, 1999. It was the first virus that used electronic mail to spread on a large scale, and in a short time it became – at that period – the fastest spreading virus of all time.

A message that was sent by the virus itself, from the email account of a friend or colleague – or at least someone who had the recipient’s email address in his or her addressbook – with the subject “Important Message From <username>”, included a malicious Microsoft Word attachment.

The virus was designed to send a malicious email to the first 50 addresses in each of the address books of each user who received it; although those emails would only be sent if Microsoft Outlook was installed and configured to send email on the computer. In addition, each infected computer would attempt to send out 50 additional emails, at the minimum, which in turn might infect another 50 computers, and so on. Once activated, the virus occasionally modified the user’s document by adding comments from the popular television series The Simpsons and might inadvertently send confidential information located on the computer to subsequent potential victims.

In the United States, it is estimated that Melissa caused losses of more than US$80 million. Its creator was David L. Smith, an American citizen, who pleaded guilty in court and received 20 months in prison and a fine of US$5,000.


Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center