Threat Description

MultiAni

Details

Aliases:MultiAni, La multi ani
Category:Malware
Type:Virus
Platform:W32

Summary



This boot virus was found in the wild in Italy, Romania, Czech and Finland in December 1996. The virus does not infect the MBR area on hard drives; instead, it infects the DOS boot sector.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



MultiAni transfers only on floppy disks. Only way to get infected from an infected floppy is to attempt to boot from it. After this, all floppies used in the infected machine will get the infection.

Virus replaces the DOS boot sector with a new copy, which is almost identical to a clean boot sector; only a few bytes differ. Rest of the virus is stored later on the first track (on hard drives) or to the root directory area (on floppies).

MultiAni activates in December by random. When it activates, it enters a loop where it displays this text forever:

La multi ani !
  La multi ani !
  La multi ani !
		
		

'La multi ani' is Romanian and means 'Happy new year'.

The virus contains no directly destructive code.

F-Secure anti-virus products disinfect floppies infected by this virus. To disinfect hard drives, boot from a clean floppy with exactly the same operating system and SYS.COM utility and type SYS C:





Technical Details: Peter Szor, F-Secure, 1996


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More