Multi 1.1 Virus

Virus Name: Multi 1.1 Aliases: V Status: Rare Discovered: March, 1993 Symptoms: .COM & .EXE growth; decrease in total system & available free memory Origin: Unknown Eff Length: 2,560 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: AVTK, F-Prot, Sweep, ViruScan, IBMAV, NAV, NAVDX, VAlert, PCScan, ChAV, Sweep/N, Innoc, NShld, AVTK/N, NAV/N, NProt, IBMAV/N, LProt Removal Instructions: Delete infected files General Comments: The Multi 1.1 virus was submitted in March, 1993. Its origin or point of isolation is unknown, but it may be from the USSR. Multi 1.1 is a memory resident stealth virus which infect .COM and .EXE programs, including COMMAND.COM. When the first Multi 1.1 infected program is executed, the Multi 1.1 virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, hooking interrupt 24. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 2,608 bytes. Interrupt 12's return will not have been moved. Once the Multi 1.1 virus is memory resident, it will infect .COM and .EXE programs when they are executed or opened for any reason. Infected programs will have a file length increase of 2,560 bytes, though the file length increase will be hidden when the virus is resident in memory. The virus is located at the end of infected files. The program's date and time in the DOS disk directory listing will not be altered. The following text string is visible within the viral code in Multi 1.1 infected files when the virus is not resident in memory: "MultiVirus(R), Release 1.1, Copyright (c) 1990-92 by" Multi 1.1 is a full stealth virus, and disinfects programs as they are read into memory. As such, anti-viral CRC and checksumming programs may not be able to detect its presence on the system.