Classification

Category :

Malware

Type :

Virus

Aliases :

MultiAni, La multi ani

Summary

This boot virus was found in the wild in Italy, România, Czech and Finland in December 1996. The virus does not infect the MBR area on hard drives; instead, it infects the DOS boot sector.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

MultiAni transfers only on floppy disks. Only way to get infected from an infected floppy is to attempt to boot from it. After this, all floppies used in the infected machine will get the infection.

Virus replaces the DOS boot sector with a new copy, which is almost identical to a clean boot sector; only a few bytes differ. Rest of the virus is stored later on the first track (on hard drives) or to the root directory area (on floppies).

MultiAni activates in December by random. When it activates, it enters a loop where it displays this text forever:

La multi ani !
 La multi ani !
 La multi ani ! 		 		

'La multi ani' is Românian and means 'Happy new year'.

The virus contains no directly destructive code.

F-Secure anti-virus products disinfect floppies infected by this virus. To disinfect hard drives, boot from a clean floppy with exactly the same operating system and SYS.COM utility and type SYS C: