Summary

This boot virus was found in the wild in Italy, Romania, Czech and Finland in December 1996. The virus does not infect the MBR area on hard drives; instead, it infects the DOS boot sector.

Additional Details

MultiAni transfers only on floppy disks. Only way to get infected from an infected floppy is to attempt to boot from it. After this, all floppies used in the infected machine will get the infection.

Virus replaces the DOS boot sector with a new copy, which is almost identical to a clean boot sector; only a few bytes differ. Rest of the virus is stored later on the first track (on hard drives) or to the root directory area (on floppies).

MultiAni activates in December by random. When it activates, it enters a loop where it displays this text forever:

La multi ani ! La multi ani ! La multi ani !
'La multi ani' is Romanian and means 'Happy new year'.

The virus contains no directly destructive code.

F-Secure anti-virus products disinfect floppies infected by this virus. To disinfect hard drives, boot from a clean floppy with exactly the same operating system and SYS.COM utility and type SYS C:

[Analysis: Peter Szor, F-Secure], 1996