Multi 1.1 Virus
Virus Name: Multi 1.1
V Status: Rare
Discovered: March, 1993
Symptoms: .COM & .EXE growth;
decrease in total system & available free memory
Eff Length: 2,560 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: AVTK, F-Prot, Sweep, ViruScan, IBMAV,
NAV, NAVDX, VAlert, PCScan, ChAV,
Sweep/N, Innoc, NShld, AVTK/N, NAV/N, NProt, IBMAV/N,
Removal Instructions: Delete infected files
The Multi 1.1 virus was submitted in March, 1993. Its origin or
point of isolation is unknown, but it may be from the USSR. Multi
1.1 is a memory resident stealth virus which infect .COM and .EXE
programs, including COMMAND.COM.
When the first Multi 1.1 infected program is executed, the Multi 1.1
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary, hooking interrupt 24. Total
system and available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 2,608 bytes. Interrupt 12's return
will not have been moved.
Once the Multi 1.1 virus is memory resident, it will infect .COM and
.EXE programs when they are executed or opened for any reason.
Infected programs will have a file length increase of 2,560 bytes,
though the file length increase will be hidden when the virus is
resident in memory. The virus is located at the end of infected
files. The program's date and time in the DOS disk directory listing
will not be altered. The following text string is visible within
the viral code in Multi 1.1 infected files when the virus is not
resident in memory:
"MultiVirus(R), Release 1.1, Copyright (c) 1990-92 by"
Multi 1.1 is a full stealth virus, and disinfects programs as they
are read into memory. As such, anti-viral CRC and checksumming
programs may not be able to detect its presence on the system.